From 63d93ff2111bed0190a2ccbb6f4400b6fbdd1291 Mon Sep 17 00:00:00 2001
From: Yatsuiii <155452778+Yatsuiii@users.noreply.github.com>
Date: Tue, 2 Jun 2026 02:20:36 +0530
Subject: [PATCH] Normalize stored usernames on auth load

verify_password() and create_session() both call .strip().lower() on
the incoming username, but _load() stored keys verbatim from auth.json.
Any mixed-case key (e.g. written by manual edit or a future migration)
would never match, producing a permanent 'Invalid credentials' error.

Fix: lowercase all keys at load time so the in-memory dict always
matches what the login path expects.

Fixes #423
---
 core/auth.py | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/core/auth.py b/core/auth.py
index 7ba036c..953704f 100644
--- a/core/auth.py
+++ b/core/auth.py
@@ -73,6 +73,15 @@ class AuthManager:
             if os.path.exists(self.auth_path):
                 with open(self.auth_path, "r", encoding="utf-8") as f:
                     self._config = json.load(f)
+                # Normalize all stored usernames to lowercase so they match
+                # the .strip().lower() applied at login/verify time. Fixes
+                # "Invalid credentials" when auth.json was written with
+                # mixed-case keys (e.g. via manual edit or a future migration).
+                if "users" in self._config:
+                    self._config["users"] = {
+                        k.strip().lower(): v
+                        for k, v in self._config["users"].items()
+                    }
                 logger.info("Auth config loaded")
             else:
                 self._config = {}