[Fix] Login via email, prevent Usernames with certain chars

2026-02-16 13:58:06 +01:00
parent 58ab5b33e3
commit 5150027f0d
2 changed files with 29 additions and 5 deletions
--- a/epdb/views.py
+++ b/epdb/views.py
@ -6,7 +6,9 @@ from typing import Any, Dict, List
 import nh3
 from django.conf import settings as s
 from django.contrib.auth import get_user_model
-from django.core.exceptions import BadRequest, PermissionDenied
+from django.contrib.auth.validators import UnicodeUsernameValidator
+from django.core.exceptions import BadRequest, PermissionDenied, ValidationError
+from django.core.validators import validate_email
 from django.http import HttpResponse, HttpResponseBadRequest, HttpResponseNotAllowed, JsonResponse
 from django.shortcuts import get_object_or_404, redirect, render
 from django.urls import reverse
@ -159,15 +161,28 @@ def login(request):
        password = request.POST.get("password")

        # Get email for username and check if the account is active
+        try:
+            # Try username and if it fails check if username is a valid email adress and we'll find a user
            try:
                temp_user = get_user_model().objects.get(username=username)
+            except get_user_model().DoesNotExist as e:
+                # validate_email returns None if input is valid -> check for None
+                # Otherwise a ValidationError is raised
+                if validate_email(username) is None:
+                    temp_user = get_user_model().objects.get(email=username)
+                else:
+                    raise e

            if not temp_user.is_active:
                context["message"] = "User account is not activated yet!"
                return render(request, "static/login.html", context)

            email = temp_user.email
-        except get_user_model().DoesNotExist:
+        except (get_user_model().DoesNotExist, ValidationError):
+            context["message"] = "Login failed!"
+            return render(request, "static/login.html", context)
+        except Exception as e:
+            logger.info(f"Uncaught exception while trying to login: {e}")
            context["message"] = "Login failed!"
            return render(request, "static/login.html", context)

@ -230,6 +245,13 @@ def register(request):
            context["message"] = "Invalid username/email/password"
            return render(request, "static/login.html", context)

+        if UnicodeUsernameValidator(username) is not None:
+            context["message"] = (
+                "Enter a valid username. This value may contain only letters, "
+                "numbers, and @/./+/-/_ characters."
+            )
+            return render(request, "static/login.html", context)
+
        if password != rpassword or password == "":
            context["message"] = "Registration failed, provided passwords differ!"
            return render(request, "static/login.html", context)
--- a/templates/static/login.html
+++ b/templates/static/login.html
@ -82,13 +82,13 @@

      <div class="form-control">
        <label class="label" for="username">
-          <span class="label-text">Username</span>
+          <span class="label-text">Account</span>
        </label>
        <input
          type="text"
          id="username"
          name="username"
-          placeholder="username"
+          placeholder="Username or Email"
          class="input input-bordered w-full"
          required
          autocomplete="username"
@ -164,6 +164,8 @@
          name="username"
          placeholder="username"
          class="input input-bordered w-full"
+          pattern="^[A-Za-z0-9@.+_\-]{3,150}$"
+          title="Only letters, numbers, and @ . + - _ are allowed"
          required
          autocomplete="username"
        />