Since support for case insensitive usernames has been added, they are interpreted as arbitrary regexes due to the following code:
this.db.findOne({username: {$regex: new RegExp(credentials.username, 'i')}}).exec((err, user) => {
You can login without knowing a valid username just by entering .* as username. Luckily, you still need to provide the correct password so it is not a total authentication bypass.
You should only be able to login to an account by entering the full username.
You can enter .* or any other regex.
In my opinion, the change that added case-insensitive usernames should be reverted. I don't see any clear benefits by having them and it complicates user handling and thereby might introduce additional bugs further down the line.
Or, just do .toLowerCase()...
This is my PR, and a massive overlook on my part. The string should be regex-escaped before being used.
Thanks @jr64 for bringing this up. I reverted the change!
Most helpful comment
Or, just do
.toLowerCase()...