Creating a user with the same email could lock out other accounts
Hi, I found a problem while testing user creation, my scenario happenned to be this:
1) have an instance admin/IAM owner that has preferred login set to be same as an email
2) register another user that has a different preferred login, but same email
Now the IAM owner cannot log in, because login form is throwing an error "User not found"
I got it fixed by changing the new user's email, and the case is rather special, but it still looks like that shouldn't be the case. Is there any setting to prevent this from happening?
1 Reply
Well, under normal conditions it should not happen that one user's login name equals to another user's login email address.
However, it's an interesting occurrence from a security perspective. That way you could trick a system into granting you access to whatever another user can access.
There's two thoughts I have:
1. Usernames should never match email addresses. However, it is quite complicated to properly recognize email addresses. Strictly following the RFCs you could go pretty wild with valid email addresses. So I'd generally restrict usernames to anything matching
[a-zA-Z0-9-]*. That should be fine for a username. (Not to be mistaken for the user's actual name.)
2. Whatever is used as for the login should be unique within the internal database. If it's usernames and email addresses the system should not just make sure usernames are unique and email addresses are unique by themselves but the union from both is unique.
I think this relates to https://discord.com/channels/927474939156643850/1332002346359586917