Possible bug? #5437
Comments
|
If the username does not match exactly, you should not be allowed to log in. That being said, the following seems like a good choice too.
@louislam what do you think: |
|
@CommanderStorm, @louislam, Although it is not standard to make usernames case-sensitive, there are some arguments for situations where it might be necessary. Below are the arguments elaborated:
ConclusionWhile case sensitivity reduces user-friendliness, it can be useful or necessary in very specific cases. This is particularly true when technical or security objectives require username complexity, or when the system relies heavily on uniqueness and differentiation between usernames. However, in most standard environments, the drawbacks outweigh the benefits. |
That's the point, and in fact, the main issue for me. Some PRs prepare UK for external auth providers (LDAP for example with #4751). Therefore, we can't affirm all of the solutions have canse sensitive disabled. For example, I just tried to connect to my LemonLDAP instance, binded to my LDAP. It appears my username is case-sensitive, and I can create another user with uppercases. Therefore, UK needs (at my point) to keep the username case-sensitive. BUT something we can do is setting the username to lowercase on the registration/setup process, and when others users are created from UK (#3571), since lowercase is mainly used elsewhere. |
|
@Ionys320, Although I stated in my conclusion, "However, in most standard environments, the drawbacks outweigh the benefits," I believe this does not apply to Uptime Kuma. Uptime Kuma uses As a personal note, I support some user inconvenience if it leads to better security. I hope that @louislam agrees with this approach and keeps the username case-sensitive. |
|
Yes, I think we should keep the current implementation, simply because I don't want to create any unexpected breaking change, for example, if someone has already created But I remember there were some people said that, their saved passwords were not working, it may be because of this. |
@louislam, Can you provide more context about this? So far, from what I've seen and understood, the passwords are not stored as plaintext but hashed? Or am I mistaken? |
|
I guess the main issue is password manager can set the username to lowercase. That's why I suggested this:
|
|
@Ionys320, I don't know of any password manager that defaults to converting usernames to lowercase. If this happens, it seems to be a user error in the settings of the password manager. If this is not the case, I recommend switching to another password manager, such as Bitwarden. |
π I have found these related issues/pull requests
None that I know for certain are related.
π‘οΈ Security Policy
Description
The web gui was rejecting my login even after resetting my password. I went searching though open issues trying to find a solution but only found old closed cases with no solution. The problem I was having is that the username is case sensitive and my username was stored in my password manager without the matching uppercase characters. I am not certain if this counts as a "bug" but thought I would post for anyone else having a similar issue.
π Reproduction steps
Create a new login and use capitalization in the username. Then try logging in with all lowercase in the username.
π Expected behavior
Normally, I would expect the username field to not be case sensitive.
π Actual Behavior
Username field is case sensitive.
π» Uptime-Kuma Version
1.23.15
π» Operating System and Arch
Docker
π Browser
Firefox 133.0.3
π₯οΈ Deployment Environment
π Relevant log output
No response
The text was updated successfully, but these errors were encountered: