Skip to content

AUTH_FIXES_DETAILS.md

Latest commit

 

History

History
122 lines (96 loc) · 3.89 KB

AUTH_FIXES_DETAILS.md

File metadata and controls

122 lines (96 loc) · 3.89 KB

Authentication Fixes Summary

Issues Found & Fixed

1. "Username Already Taken" on Registration

Problem: After successful registration, the subsequent login was failing silently, but the error message was misleading and said "Username already taken."

Root Causes:

  • Case-sensitive username and email lookups caused false positives
  • Username normalization wasn't happening during registration
  • Poor error handling in signup flow didn't distinguish between registration and login errors

Fixes Applied:

  • ✅ Normalize usernames to lowercase on registration (api_auth.py register endpoint)
  • ✅ Normalize usernames to lowercase on login (api_auth.py login endpoint)
  • ✅ Improved error handling in signup page to show specific error messages
  • ✅ Split error handling to distinguish registration errors from login errors

2. "Email or Password Invalid" on Login

Problem: Login was failing even with correct credentials due to case-sensitive username lookups.

Root Causes:

  • Username lookup was case-sensitive using .ilike() inconsistently
  • Users could enter different case variations of their username
  • The username wasn't normalized consistently between registration and login

Fixes Applied:

  • ✅ Normalize username input to lowercase before database queries
  • ✅ Use exact equality check (==) after normalization instead of .ilike()
  • ✅ Separate password verification into its own check for clearer debugging

Files Modified

Backend (backend/app/)

api_auth.py

# REGISTER ENDPOINT
- Normalize username: user_data.username.lower().strip()
- Normalize email: user_data.email.lower().strip()
- Store normalized versions in database
- Better logging with normalized username

# LOGIN ENDPOINT  
- Normalize username: form_data.username.lower().strip()
- Use normalized username for exact database lookup
- Separate null check from password verification for better error handling

Frontend (frontend/app/auth/)

signup/page.tsx

// Improved error handling
- Step 1: Try registration
- Step 2: Try login (with separate error handling)
- Step 3: Get user info and redirect
- Show specific error message for each step

Testing Checklist

  • Register with username "TestUser" → should normalize to "testuser"
  • Register with same username in different case "TESTUSER" → should fail with "already registered"
  • Login with "TestUser" using correct password → should work
  • Login with "testuser" using correct password → should work
  • Login with wrong password → should show "Incorrect username or password"
  • Register with same email in different case → should fail with "already registered"

How It Works Now

  1. Registration Flow:

    User enters: Username="JohnDoe", Email="John@Email.com"
↓
Normalize: username="johndoe", email="john@email.com"
↓
Check if exists (case-insensitive check with ilike)
↓
Store normalized version in database

  2. Login Flow:

    User enters: Username="johndoe", Password="password123"
↓
Normalize: username="johndoe"
↓
Find user with exact match (username="johndoe")
↓
Verify password hash
↓
Return token if successful

Migration Note

⚠️ Important: If you have existing users with non-normalized usernames in the database from before these fixes, you may need to:

  1. Clear the users table: DELETE FROM users;
  2. Or normalize existing usernames to lowercase
  3. Restart the backend

Then users can re-register with their preferred username case.

Testing the Fix

# Terminal 1: Start backend
cd backend
python -m uvicorn app.main:app --reload

# Terminal 2: Start frontend
cd frontend
npm run dev

# Test in browser:
1. Go to http://localhost:3000/auth/signup
2. Register with any username/email
3. You should be logged in automatically
4. Try logging out and logging back in