From e20985ecb40e71a278cba1e897cd437c285db173 Mon Sep 17 00:00:00 2001
From: Matt Owens <matt@brokenintuition.com>
Date: Sun, 2 Oct 2022 14:16:46 -0400
Subject: [PATCH] Treat fediverse usernames as case-insensitive (#2155)

* treat fediverse usernames as case-insensitive for auth

* add test for case insensitive, clean up duplicate import in federverse auth controller

* fix test, there was an issue with state when all the tests were run
---
 auth/fediverse/fediverse.go             |  3 ++-
 auth/fediverse/fediverse_test.go        | 20 +++++++++++++++++++-
 controllers/auth/fediverse/fediverse.go |  3 +--
 3 files changed, 22 insertions(+), 4 deletions(-)

diff --git a/auth/fediverse/fediverse.go b/auth/fediverse/fediverse.go
index 404af3916..8fced2fb2 100644
--- a/auth/fediverse/fediverse.go
+++ b/auth/fediverse/fediverse.go
@@ -3,6 +3,7 @@ package fediverse
 import (
 	"crypto/rand"
 	"io"
+	"strings"
 	"time"
 )
 
@@ -37,7 +38,7 @@ func RegisterFediverseOTP(accessToken, userID, userDisplayName, account string)
 		Code:            code,
 		UserID:          userID,
 		UserDisplayName: userDisplayName,
-		Account:         account,
+		Account:         strings.ToLower(account),
 		Timestamp:       time.Now(),
 	}
 	pendingAuthRequests[accessToken] = r
diff --git a/auth/fediverse/fediverse_test.go b/auth/fediverse/fediverse_test.go
index 912736d05..8b4059d9c 100644
--- a/auth/fediverse/fediverse_test.go
+++ b/auth/fediverse/fediverse_test.go
@@ -1,6 +1,9 @@
 package fediverse
 
-import "testing"
+import (
+	"strings"
+	"testing"
+)
 
 const (
 	accessToken     = "fake-access-token"
@@ -58,3 +61,18 @@ func TestSingleOTPFlowRequest(t *testing.T) {
 		t.Error("Second registration should not be permitted.")
 	}
 }
+
+func TestAccountCaseInsensitive(t *testing.T) {
+	account := "Account"
+	accessToken := "another-fake-access-token"
+	r1, _ := RegisterFediverseOTP(accessToken, userID, userDisplayName, account)
+	_, reg1 := ValidateFediverseOTP(accessToken, r1.Code)
+
+	// Simulate second auth with account in different case
+	r2, _ := RegisterFediverseOTP(accessToken, userID, userDisplayName, strings.ToUpper(account))
+	_, reg2 := ValidateFediverseOTP(accessToken, r2.Code)
+
+	if reg1.Account != reg2.Account {
+		t.Errorf("Account names should be case-insensitive: %s %s", reg1.Account, reg2.Account)
+	}
+}
diff --git a/controllers/auth/fediverse/fediverse.go b/controllers/auth/fediverse/fediverse.go
index 6192e712e..e4533ddcc 100644
--- a/controllers/auth/fediverse/fediverse.go
+++ b/controllers/auth/fediverse/fediverse.go
@@ -7,7 +7,6 @@ import (
 
 	"github.com/owncast/owncast/activitypub"
 	"github.com/owncast/owncast/auth"
-	"github.com/owncast/owncast/auth/fediverse"
 	fediverseauth "github.com/owncast/owncast/auth/fediverse"
 	"github.com/owncast/owncast/controllers"
 	"github.com/owncast/owncast/core/chat"
@@ -57,7 +56,7 @@ func VerifyFediverseOTPRequest(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 	accessToken := r.URL.Query().Get("accessToken")
-	valid, authRegistration := fediverse.ValidateFediverseOTP(accessToken, req.Code)
+	valid, authRegistration := fediverseauth.ValidateFediverseOTP(accessToken, req.Code)
 	if !valid {
 		w.WriteHeader(http.StatusForbidden)
 		return