From edf1e2e8e03ef90892c480a5e25cb70bf34dfed0 Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Sun, 6 Dec 2020 19:29:19 +0100
Subject: [PATCH] Auth: webui session usernames and case sensitivity. for
 https://github.com/opnsense/core/issues/4451

---
 src/etc/inc/authgui.inc                        |  3 ++-
 .../mvc/app/library/OPNsense/Auth/Base.php     | 18 ++++++++++++++++++
 2 files changed, 20 insertions(+), 1 deletion(-)

diff --git a/src/etc/inc/authgui.inc b/src/etc/inc/authgui.inc
index 38915085b..17fa8e884 100644
--- a/src/etc/inc/authgui.inc
+++ b/src/etc/inc/authgui.inc
@@ -111,7 +111,8 @@ function session_auth(&$Login_Error)
         if ($is_authenticated) {
             // Generate a new id to avoid session fixation
             session_regenerate_id();
-            $_SESSION['Username'] = $_POST['usernamefld'];
+            // XXX: eventually we should replace the login flow for a service based one (IService).
+            $_SESSION['Username'] = $authenticator->getUserName($_POST['usernamefld']);
             $_SESSION['last_access'] = time();
             $_SESSION['protocol'] = $config['system']['webgui']['protocol'];
             if ($authenticator != null && $authenticator->shouldChangePassword($_SESSION['Username'], $_POST['passwordfld'])) {
diff --git a/src/opnsense/mvc/app/library/OPNsense/Auth/Base.php b/src/opnsense/mvc/app/library/OPNsense/Auth/Base.php
index 098fb56d9..d4c521ed5 100644
--- a/src/opnsense/mvc/app/library/OPNsense/Auth/Base.php
+++ b/src/opnsense/mvc/app/library/OPNsense/Auth/Base.php
@@ -130,4 +130,22 @@ abstract class Base
         }
         return $userObject;
     }
+
+    /**
+     * return actual username.
+     * This is more or less a temporary function to support case insensitive names in sessions
+     * @param string $username username
+     * @return string
+     */
+    public function getUserName($username)
+    {
+        if ($this->caseInSensitiveUsernames) {
+            $user = $this->getUser($username);
+            if ($user) {
+                return (string)$user->name;
+            }
+        } else {
+            return $username;
+        }
+    }
 }