Flood: Usernames are interpreted as regexes on login

Created on 16 Dec 2017  路  3Comments  路  Source: Flood-UI/flood

Since support for case insensitive usernames has been added, they are interpreted as arbitrary regexes due to the following code:

this.db.findOne({username: {$regex: new RegExp(credentials.username, 'i')}}).exec((err, user) => {

You can login without knowing a valid username just by entering .* as username. Luckily, you still need to provide the correct password so it is not a total authentication bypass.

Expected Behavior



You should only be able to login to an account by entering the full username.

Current Behavior



You can enter .* or any other regex.

Possible Solution



In my opinion, the change that added case-insensitive usernames should be reverted. I don't see any clear benefits by having them and it complicates user handling and thereby might introduce additional bugs further down the line.

Steps to Reproduce (for bugs)


  1. enter .* as username
  2. enter the correct password
  3. login successfully
bug security

Most helpful comment

Or, just do .toLowerCase()...

All 3 comments

Or, just do .toLowerCase()...

This is my PR, and a massive overlook on my part. The string should be regex-escaped before being used.

Thanks @jr64 for bringing this up. I reverted the change!

Was this page helpful?
0 / 5 - 0 ratings

Related issues

NoLooseEnds picture NoLooseEnds  路  3Comments

noeuse picture noeuse  路  5Comments

EternalBlack picture EternalBlack  路  6Comments

rkkoszewski picture rkkoszewski  路  6Comments

noraj picture noraj  路  4Comments