From 9a50a5693e2ab17d7a2af19a2302b89bef185abd Mon Sep 17 00:00:00 2001
From: iglocska <andras.iklody@gmail.com>
Date: Mon, 19 Sep 2022 01:12:14 +0200
Subject: [PATCH] fix: [users] added uniqueness to usernames

- added upgrade script with removal of duplicate usernames
- added unique index to username field
- massaging the usernames before insertion (trim + lowercasing)

- As reported by SK-CERT
---
 .../20220918000001_unique_usernames.php       | 35 +++++++++++++++++++
 src/Model/Table/UsersTable.php                | 11 ++++--
 2 files changed, 44 insertions(+), 2 deletions(-)
 create mode 100644 config/Migrations/20220918000001_unique_usernames.php

diff --git a/config/Migrations/20220918000001_unique_usernames.php b/config/Migrations/20220918000001_unique_usernames.php
new file mode 100644
index 0000000..ce41c1c
--- /dev/null
+++ b/config/Migrations/20220918000001_unique_usernames.php
@@ -0,0 +1,35 @@
+<?php
+declare(strict_types=1);
+
+use Migrations\AbstractMigration;
+
+final class UniqueUserNames extends AbstractMigration
+{
+    /**
+     * Change Method.
+     *
+     * Write your reversible migrations using this method.
+     *
+     * More information on writing migrations is available here:
+     * https://book.cakephp.org/phinx/0/en/migrations.html#the-change-method
+     *
+     * Remember to call "create()" or "update()" and NOT "save()" when working
+     * with the Table class.
+     */
+    public function change(): void
+    {
+        $table = $this->table('users');
+        $exists = $table->hasIndexByName('users', 'username');
+        $this->execute('DELETE FROM users WHERE id NOT IN (SELECT MIN(id) FROM users GROUP BY LOWER(username));');
+        if (!$exists) {
+            $table->addIndex(
+                [
+                    'username'
+                ],
+                [
+                    'unique' => true
+                ]
+            )->save();
+        }
+    }
+}
diff --git a/src/Model/Table/UsersTable.php b/src/Model/Table/UsersTable.php
index 61f06b8..b4caebe 100644
--- a/src/Model/Table/UsersTable.php
+++ b/src/Model/Table/UsersTable.php
@@ -7,12 +7,14 @@ use Cake\ORM\Table;
 use Cake\Validation\Validator;
 use Cake\ORM\RulesChecker;
 use Cake\ORM\TableRegistry;
-use \Cake\Datasource\EntityInterface;
-use \Cake\Http\Session;
+use Cake\Event\EventInterface;
+use Cake\Datasource\EntityInterface;
+use Cake\Http\Session;
 use Cake\Http\Client;
 use Cake\Utility\Security;
 use Cake\Core\Configure;
 use Cake\Utility\Text;
+use ArrayObject;
 
 class UsersTable extends AppTable
 {
@@ -54,6 +56,11 @@ class UsersTable extends AppTable
         $this->setDisplayField('username');
     }
 
+    public function beforeMarshal(EventInterface $event, ArrayObject $data, ArrayObject $options)
+    {
+        $data['username'] = trim(mb_strtolower($data['username']));
+    }
+
     private function initAuthBehaviors()
     {
         if (!empty(Configure::read('keycloak'))) {