normalize username to lock password

jupyterhub / firstuseauthenticator

JupyterHub Authenticator that lets users set passwords when they first log in

BSD 3-Clause "New" or "Revised" License

48 stars 31 forks source link

normalize username to lock password #38

Closed georgejhunt closed 2 years ago

georgejhunt commented 3 years ago

Prevent username with changed capitalization from taking over an existing username/password combination.

Root cause: jupyterhub lower-cases username, but firstuseauthenticator does not. So alternate capitalization of username gains access to, and creates a parallel path to user files (multiple capitalizations of username have access)

holta commented 3 years ago

I've confirmed that this critical security fix works.

Thank you @georgejhunt for these very important patches to firstuseauthenticator!

roles/jupyterhub/README.md
PR iiab/iiab#2976

welcome[bot] commented 2 years ago

Congrats on your first merged pull request in this project! :tada: Thank you for contributing, we are very proud of you! :heart:

minrk commented 2 years ago

Thanks! I've updated this to call the normalize_username method, which encapsulates whatever JupyterHub does to normalize a username.