Always authentify projects using a lowercase ID. (#925)

Fixes #920
spiral-project · Nov 21, 2021 · beac10b · beac10b
1 parent 4d6a5aa
commit beac10b
Show file tree

Hide file tree

Showing 3 changed files with 32 additions and 17 deletions.
diff --git a/ihatemoney/api/common.py b/ihatemoney/api/common.py
@@ -18,11 +18,11 @@ def need_auth(f):
     @wraps(f)
     def wrapper(*args, **kwargs):
         auth = request.authorization
-        project_id = kwargs.get("project_id")
+        project_id = kwargs.get("project_id").lower()
 
         # Use Basic Auth
-        if auth and project_id and auth.username == project_id:
-            project = Project.query.get(auth.username)
+        if auth and project_id and auth.username.lower() == project_id:
+            project = Project.query.get(auth.username.lower())
             if project and check_password_hash(project.password, auth.password):
                 # The whole project object will be passed instead of project_id
                 kwargs.pop("project_id")

diff --git a/ihatemoney/tests/api_test.py b/ihatemoney/tests/api_test.py
@@ -18,21 +18,15 @@ def api_create(
         password = password or name
         contact = contact or f"{name}@notmyidea.org"
 
+        data = {
+            "name": name,
+            "id": id,
+            "password": password,
+            "contact_email": contact,
+        }
         if default_currency:
-            data = {
-                "name": name,
-                "id": id,
-                "password": password,
-                "contact_email": contact,
-                "default_currency": default_currency,
-            }
-        else:
-            data = {
-                "name": name,
-                "id": id,
-                "password": password,
-                "contact_email": contact,
-            }
+            data["default_currency"] = default_currency
+
         return self.client.post(
             "/api/projects",
             data=data,
@@ -905,6 +899,14 @@ def test_log_created_from_api_call(self):
         self.assertEqual(resp.data.decode("utf-8").count("<td> -- </td>"), 2)
         self.assertNotIn("127.0.0.1", resp.data.decode("utf-8"))
 
+    def test_project_creation_with_mixed_case(self):
+        self.api_create("Raclette")
+        # get information about it
+        resp = self.client.get(
+            "/api/projects/Raclette", headers=self.get_auth("Raclette")
+        )
+        self.assertStatus(200, resp)
+
 
 if __name__ == "__main__":
     unittest.main()
diff --git a/ihatemoney/tests/budget_test.py b/ihatemoney/tests/budget_test.py
@@ -511,6 +511,19 @@ def test_authentication(self):
             self.assertNotIn("Authentication", resp.data.decode("utf-8"))
             self.assertTrue(session["is_admin"])
 
+    def test_authentication_with_upper_case(self):
+        self.create_project("Raclette")
+
+        # try to connect with the right credentials should work
+        with self.app.test_client() as c:
+            resp = c.post(
+                "/authenticate", data={"id": "Raclette", "password": "Raclette"}
+            )
+
+            self.assertNotIn("Authentication", resp.data.decode("utf-8"))
+            self.assertIn("Raclette", session)
+            self.assertTrue(session["Raclette"])
+
     def test_admin_authentication(self):
         self.app.config["ADMIN_PASSWORD"] = generate_password_hash("pass")
         # Disable public project creation so we have an admin endpoint to test