🐛(backend) harden email matching against ambiguous cases

Handle case-sensitivity and whitespace in email lookups. Detect and block multiple matching accounts as security precaution.
2024-11-04 14:01:09 +01:00
parent c1bc379744
commit d370a4db10
1 changed files with 5 additions and 1 deletions
--- a/src/backend/core/authentication/backends.py
+++ b/src/backend/core/authentication/backends.py
@@ -96,7 +96,11 @@ class OIDCAuthenticationBackend(MozillaOIDCAuthenticationBackend):
        except User.DoesNotExist:
            if email and settings.OIDC_FALLBACK_TO_EMAIL_FOR_IDENTIFICATION:
                try:
-                    return User.objects.get(email=email)
+                    return User.objects.get(email__iexact=email)
                except User.DoesNotExist:
                    pass
+                except User.MultipleObjectsReturned as e:
+                    raise SuspiciousOperation(
+                        _("Multiple user accounts share a common email.")
+                    ) from e
        return None