Password recovery failure with special characters in username

wso2 / product-is

Welcome to the WSO2 Identity Server source code! For info on working with the WSO2 Identity Server repository and contributing code, click the link below.

http://wso2.github.io/

Apache License 2.0

742 stars 720 forks source link

Password recovery failure with special characters in username #18700

Open Avarjana opened 9 months ago

Avarjana commented 9 months ago

Describe the issue: For special character combinations in username, password recovery flow is not working. The cause could be with the changes introduced to manipulate the filter in https://github.com/wso2/carbon-kernel/blob/dd6a4e0bb6016120f4bef8870e107cce89a33d74/core/org.wso2.carbon.user.core/src/main/java/org/wso2/carbon/user/core/jdbc/UniqueIDJDBCUserStoreManager.java#L144.

How to reproduce:

Configure email sending in deployment.toml.
Login to console as super admin.
Create a user with username as xx!@#$%&'*+\=?^_.{|}~-. and provide a valid email.
Enable password recovery via email.
Try to reset the password for the created user via myaccount or any other SP.
Email is not received.

Expected behavior:

Email should be sent successfully.

Related issues:

ashanthamara commented 8 months ago

It is decided to not to allow *, ?, % characters in the username (Refer the comment)

In the password recovery flow is, when the user entered the username it get encoded from the username-resolver.jsp[1] before sending the username to the BE. So when the username includes special characters(wild card) it adds escape characters to the username. Due to that reason the system cannot search the user from the UM_USER table since it uses = operator in the query where it tries to find the exact match for the given username[2]

[1] - https://github.com/wso2/identity-apps/blob/40832fe050d89b898017b1f70b0bcf7a06840228/identity-apps-core/apps/recovery-portal/src/main/webapp/includes/username-resolver.jsp#L28 [2] - https://github.com/wso2/carbon-kernel/blob/eadf79ed01140d1a41d64f56be8281147b7e4071/core/org.wso2.carbon.user.core/src/main/java/org/wso2/carbon/user/core/jdbc/UniqueIDJDBCUserStoreManager.java#L1289

ashanthamara commented 8 months ago

All the fixes are deployed in the product-is. Hence closing the issue. Tested artifact: https://wso2.org/jenkins/job/products/job/product-is/5024/

ashanthamara commented 7 months ago

Reopening since the initial fix has been reverted https://github.com/wso2/carbon-kernel/pull/3796

Avarjana commented 7 months ago

There is an issue where the escape character causing the user listing function to misbehave.

I think it could be fixed with changing the escape here [1]

filter = filter.replaceAll("\\\\", "\\\\\\\\");
filter = filter.replaceAll("_", "\\\\_");

[1] https://github.com/wso2/carbon-kernel/blob/450a85b130dd8956fc3c743d2f0ae972313095f7/core/org.wso2.carbon.user.core/src/main/java/org/wso2/carbon/user/core/jdbc/UniqueIDJDBCUserStoreManager.java#L196

DMHP commented 7 months ago

Reducing the priority as the original issue is fixed.