From 928b8a71cf361b7bc2b8957c621f5b66c4657b1e Mon Sep 17 00:00:00 2001 From: TheCatLady <52870424+TheCatLady@users.noreply.github.com> Date: Sun, 16 May 2021 20:17:14 -0400 Subject: [PATCH] fix: perform case-insensitive match for local user email addresses (#1633) --- server/routes/auth.ts | 32 ++++++++++++++++++++++---------- server/routes/user/index.ts | 25 ++++++++++++++++--------- 2 files changed, 38 insertions(+), 19 deletions(-) diff --git a/server/routes/auth.ts b/server/routes/auth.ts index ca94e2a8c..abc44d4f0 100644 --- a/server/routes/auth.ts +++ b/server/routes/auth.ts @@ -40,9 +40,13 @@ authRoutes.post('/plex', async (req, res, next) => { const account = await plextv.getUser(); // Next let's see if the user already exists - let user = await userRepository.findOne({ - where: { plexId: account.id }, - }); + let user = await userRepository + .createQueryBuilder('user') + .where('user.plexId = :id', { id: account.id }) + .orWhere('LOWER(user.email) = :email', { + email: account.email.toLowerCase(), + }) + .getOne(); if (user) { // Let's check if their Plex token is up-to-date @@ -55,6 +59,12 @@ authRoutes.post('/plex', async (req, res, next) => { user.email = account.email; user.plexUsername = account.username; + // In case the user was previously a local account + if (user.userType === UserType.LOCAL) { + user.userType = UserType.PLEX; + user.plexId = account.id; + } + if (user.username === account.username) { user.username = ''; } @@ -164,10 +174,11 @@ authRoutes.post('/local', async (req, res, next) => { }); } try { - const user = await userRepository.findOne({ - select: ['id', 'password'], - where: { email: body.email }, - }); + const user = await userRepository + .createQueryBuilder('user') + .select(['user.id', 'user.password']) + .where('LOWER(user.email) = :email', { email: body.email.toLowerCase() }) + .getOne(); const isCorrectCredentials = await user?.passwordMatch(body.password); @@ -231,9 +242,10 @@ authRoutes.post('/reset-password', async (req, res) => { .json({ error: 'You must provide an email address.' }); } - const user = await userRepository.findOne({ - where: { email: body.email }, - }); + const user = await userRepository + .createQueryBuilder('user') + .where('LOWER(user.email) = :email', { email: body.email.toLowerCase() }) + .getOne(); if (user) { await user.resetPassword(); diff --git a/server/routes/user/index.ts b/server/routes/user/index.ts index 60d5c33e4..28dc2bd81 100644 --- a/server/routes/user/index.ts +++ b/server/routes/user/index.ts @@ -82,9 +82,12 @@ router.post( const body = req.body; const userRepository = getRepository(User); - const existingUser = await userRepository.findOne({ - where: { email: body.email }, - }); + const existingUser = await userRepository + .createQueryBuilder('user') + .where('LOWER(user.email) = :email', { + email: body.email.toLowerCase(), + }) + .getOne(); if (existingUser) { return next({ @@ -393,17 +396,21 @@ router.post( for (const rawUser of plexUsersResponse.MediaContainer.User) { const account = rawUser.$; - const user = await userRepository.findOne({ - where: [{ plexId: account.id }, { email: account.email }], - }); + const user = await userRepository + .createQueryBuilder('user') + .where('user.plexId = :id', { id: account.id }) + .orWhere('LOWER(user.email) = :email', { + email: account.email.toLowerCase(), + }) + .getOne(); if (user) { - // Update the users avatar with their plex thumbnail (incase it changed) + // Update the user's avatar with their Plex thumbnail, in case it changed user.avatar = account.thumb; user.email = account.email; user.plexUsername = account.username; - // in-case the user was previously a local account + // In case the user was previously a local account if (user.userType === UserType.LOCAL) { user.userType = UserType.PLEX; user.plexId = parseInt(account.id); @@ -418,7 +425,7 @@ router.post( if ( account.email && account.username && - (await mainPlexTv.checkUserAccess(Number(account.id))) + (await mainPlexTv.checkUserAccess(parseInt(account.id))) ) { const newUser = new User({ plexUsername: account.username,