When logging in, if the username entered isn't the intended one and doesn't exist yet, instead of displaying a login error a new account will be created with the other username and the user will be logged in to that account.
This happens because most browsers allow pressing Return to submit the form, defaulting to the first button, which happens to be the register button.
Whilst this issue is not critical in terms of security, it is triggered accidentally by a pretty high amount and causes the need to do unwanted amounts of account purging, especially as there isn't a proper set of admin tools yet.
Suggested solution: button autoselect should be coerced to login button, never allow autoselect of register button.
When logging in, if the username entered isn't the intended one and doesn't exist yet, instead of displaying a login error a new account will be created with the other username and the user will be logged in to that account. This happens because most browsers allow pressing Return to submit the form, defaulting to the first button, which happens to be the register button.
Whilst this issue is not critical in terms of security, it is triggered accidentally by a pretty high amount and causes the need to do unwanted amounts of account purging, especially as there isn't a proper set of admin tools yet.
Suggested solution: button autoselect should be coerced to login button, never allow autoselect of register button.
Regressed commit: #31, ee37792