Normalize stored usernames on auth load

verify_password() and create_session() both call .strip().lower() on the incoming username, but _load() stored keys verbatim from auth.json. Any mixed-case key (e.g. written by manual edit or a future migration) would never match, producing a permanent 'Invalid credentials' error. Fix: lowercase all keys at load time so the in-memory dict always matches what the login path expects. Fixes #423
2026-06-02 02:20:36 +05:30
parent 5da662441c
commit 63d93ff211
1 changed files with 9 additions and 0 deletions
--- a/core/auth.py
+++ b/core/auth.py
@@ -73,6 +73,15 @@ class AuthManager:
            if os.path.exists(self.auth_path):
                with open(self.auth_path, "r", encoding="utf-8") as f:
                    self._config = json.load(f)
+                # Normalize all stored usernames to lowercase so they match
+                # the .strip().lower() applied at login/verify time. Fixes
+                # "Invalid credentials" when auth.json was written with
+                # mixed-case keys (e.g. via manual edit or a future migration).
+                if "users" in self._config:
+                    self._config["users"] = {
+                        k.strip().lower(): v
+                        for k, v in self._config["users"].items()
+                    }
                logger.info("Auth config loaded")
            else:
                self._config = {}