[Zope-PAS] [Zope-CMF] PAS: authenticateCredentials: check lowercase too?
Wichert Akkerman
wichert at wiggy.net
Fri Dec 28 09:56:28 UTC 2012
On Dec 27, 2012, at 20:52 , Tres Seaver <tseaver at palladion.com> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> (PAS stuff is OT for the CMF list. Please follow up on zope-pas at zope.org
> or the equivalent Gmane newsgroup).
>
> On 12/27/2012 01:22 PM, Maurits van Rees wrote:
>> Hi,
>>
>> In Products/PluggableAuthService/plugins/ZODBUserManager.py I would
>> like to check the lower case version of the passed login name as
>> well:
>>
>> def authenticateCredentials( self, credentials ): login =
>> credentials.get( 'login' ) password = credentials.get( 'password' ) if
>> login is None or password is None: return None userid =
>> self._login_to_userid.get(login) if userid is None: # HERE STARTS THE
>> EXTRA CODE: login = login.lower() userid =
>> self._login_to_userid.get(login) if userid: # Update the login in the
>> credentials, as they might # be used elsewhere. credentials['login'] =
>> login else: return None # HERE ENDS THE EXTRA CODE. reference =
>> self._user_passwords.get(userid) if reference is None: return None ...
>> # etcetera
>>
>>
>> For example, in the case of Plone, we may be using the email address
>> as login name. Some people use a mix of upper and lower case in their
>> email address, for example "Maurits at VanRees.Org". When logging in
>> fails, they start to wonder whether they have remembered their
>> password wrongly or if they have entered their email address in lower
>> case or if they have capitalized it differently. The result: a
>> support call.
>>
>> I have seen this happen several times for a customer and have heard
>> the same from one other person on the plone core developers list.
>>
>> It would help if PAS would first check with the exact spelling given
>> and if that fails, try the completely lowercase version. Note that
>> this should be safe: if this somehow gets a different user id than
>> intended, the password should still match that user.
>>
>> I have used the above code in a patch in the collective.emaillogin
>> add-on in Plone 3 for a long time now and have not had complaints
>> since. Of course it has more patches that make sure that the login
>> name is actually lowercased before adding a new user, but that is
>> outside the scope of this mail.
>>
>> I think the above code would be fine to put in core PAS. It is safe
>> as far as I can tell and the extra processing time required when a
>> login fails should be small. Is anyone against that?
>
> I would prefer to have the case insensitivity be a configurable option of
> the plugin (in which case it would always lowercase the login when the
> user was created or updates, as well as before comparing).
A bit more specifically you need to define a canonical spelling of a login name and a way to convert a login name to the canonical version which was applied at every point a login name is passed in via the PAS API. lower() would then be a possible transformation to get such a canonical spelling. It might make sense to do that in PAS so you don't have to duplicate that in all PAS plugins.
Wichert.
More information about the Zope-PAS
mailing list