Bug on user login: regex misuse #34
Description
Hello there,
After using Cipherlayer for some time, a bug related to the user login endpoint was spotted. There exists a function named getFromUsernamePassword which looks up a user via a username and password combination on the Mongo database.
This way of searching users seems out of place, since a regular expression is used for the username, as follows:
username = new RegExp(escapeRegexp(username.toLowerCase()), "i");
Perhaps the main point of this search behaviour would be finding a username in a case insensitive way. However, during user signup process, the username is set to lowercase before saving the new user into the database.
Therefore, when looking up a user via a username/password combination, the previous line could be replaced with the following one:
username = username.toLowerCase()
As an example, consider I have two users in my Mongo database with the following emails, and the same password:
nicolas.jaremek@limonade.es
nicolas.jaremek@limon.es
Login attempts with the following emails return access and refresh tokens associated to the nicolas.jaremek@limonade.es username:
nicolas.jaremek@limonade.es
nicolas.jaremek@limonade.e
nicolas.jaremek@limonade.
nicolas.jaremek@limonade
nicolas.jaremek@limonad
nicolas.jaremek@limona
However, using any of the following usernames returns the tokens associated to nicolas.jaremek@limon.es:
nicolas.jaremek@limon
nicolas.jaremek@limo
nicolas.jaremek@lim
and so...
It feels more consistent to search users via an exact match of the username.
Could you shed some light on why the regular expression is used for the user search? Was it due to some particular requirement?
I could send a PR to fix this issue, but knowing your opinion on this matter first would be helpful.