starred/panel-pelican-dev
1
0
Fork 0
mirror of https://github.com/pelican-dev/panel.git synced 2026-05-04 18:00:48 +03:00
Code Issues 41 Packages Projects Releases 10 Wiki Activity

New User Usernames are Unexpectedly Sanitized #556

New Issue
Closed
opened 2026-02-05 17:45:56 +03:00 by OVERLORD · 9 comments
OVERLORD commented 2026-02-05 17:45:56 +03:00
Owner
Copy Link

Originally created by @redthirten on GitHub (Jan 24, 2026).

Current Behavior

Creating a new user, either via the installer (the first root admin) or via the admin panel, will sanitize/change the specified username in unexpected ways.

So far, I have experienced the following changes applied to the username, but there may be more I haven't found yet:

  • A "to lower" is applied, making all uppercase letters lowercase (a problem when usernames are case-sensitive).
  • Dashes (-) are removed. Other "sensitive" characters (like *#^) don't seem to be removed though, but I haven't tested all of them.

For example, a username of Red-Thirten is changed to redthirten. This is a problem because it's not just visual; logging in with Red-Thirten will not work, which immediately locks me out of the panel after installation.

Expected Behavior

  1. Create a new user with a username containing uppercase letters and/or dashes.
  2. The username is saved to the database as-is, or unaccepted characters are noted in an error and not ultimately accepted.

Steps to Reproduce

  1. Create a new user with a username containing uppercase letters and/or dashes.
  2. Check the saved username field to see what the actual "incorrect" username will be.

Panel Version

1.0.0-beta31

Wings Version

N/A

Games and/or Eggs Affected

No response

Docker Image

No response

Error Logs

Is there an existing issue for this?

  • I have searched the existing issues before opening this issue.
  • I have provided all relevant details, including the specific game and Docker images I am using if this issue is related to running a server.
  • I have checked in the Discord server and believe this is a bug with the software, and not a configuration issue with my specific system.
Originally created by @redthirten on GitHub (Jan 24, 2026). ### Current Behavior Creating a new user, either via the installer (the first root admin) or via the admin panel, will sanitize/change the specified username in unexpected ways. So far, I have experienced the following changes applied to the username, but there may be more I haven't found yet: - A "to lower" is applied, making all uppercase letters lowercase (a problem when usernames are case-sensitive). - Dashes (`-`) are removed. Other "sensitive" characters (like `*#^`) don't seem to be removed though, but I haven't tested all of them. For example, a username of `Red-Thirten` is changed to `redthirten`. This is a problem because it's not just visual; logging in with `Red-Thirten` will not work, which immediately locks me out of the panel after installation. ### Expected Behavior 1. Create a new user with a username containing uppercase letters and/or dashes. 2. The username is saved to the database as-is, ***or*** unaccepted characters are noted in an error and not ultimately accepted. ### Steps to Reproduce 1. Create a new user with a username containing uppercase letters and/or dashes. 2. Check the saved username field to see what the actual "incorrect" username will be. ### Panel Version 1.0.0-beta31 ### Wings Version N/A ### Games and/or Eggs Affected _No response_ ### Docker Image _No response_ ### Error Logs ```bash ``` ### Is there an existing issue for this? - [x] I have searched the existing issues before opening this issue. - [x] I have provided all relevant details, including the specific game and Docker images I am using if this issue is related to running a server. - [x] I have checked in the Discord server and believe this is a bug with the software, and not a configuration issue with my specific system.
OVERLORD added the 🟢 easy label 2026-02-05 17:45:56 +03:00
OVERLORD commented 2026-02-05 17:45:59 +03:00
Author
Owner
Copy Link

@redthirten commented on GitHub (Jan 24, 2026):

As a side note, I fundamentally disagree with #710. Every online service I can think of that has username logins are case-sensitive. The only thing that should be case-insensitive is email logins, because that's part of the email standard.

Edit: Wait, can you use either email or username for login with Pelican?

@redthirten commented on GitHub (Jan 24, 2026): As a side note, I fundamentally disagree with #710. Every online service I can think of that has **username** logins are case-sensitive. The only thing that should be case-insensitive is **email** logins, because that's part of the email standard. Edit: Wait, can you use either email or username for login with Pelican?
OVERLORD commented 2026-02-05 17:46:01 +03:00
Author
Owner
Copy Link

@Boy132 commented on GitHub (Jan 25, 2026):

[...] Wait, can you use either email or username for login with Pelican?

Yes.

@Boy132 commented on GitHub (Jan 25, 2026): > [...] Wait, can you use either email or username for login with Pelican? Yes.
OVERLORD commented 2026-02-05 17:46:03 +03:00
Author
Owner
Copy Link

@redthirten commented on GitHub (Jan 25, 2026):

@Boy132 Ahh, okay. Should we re-label "Login" to "Username or Email" to reduce confusion then? I've always disliked website login forms that are vague with what they want, especially when I haven't used a service in a while and forgot what I used to sign up with (eg. a username or an email), when all along the website is actually okay with both.

@All Regardless, to avoid confusion, string manipulation should not occur on user-defined credentials before they are committed to the database. If characters need to be prohibited, it should be clearly stated which characters are allowed, and an error should occur if prohibited characters are used. If convenience needs to be present in the form of case-insensitive emails, string manipulation should occur on the comparison of provided and stored credentials; not upon creation.

@redthirten commented on GitHub (Jan 25, 2026): @Boy132 Ahh, okay. Should we re-label "Login" to "Username or Email" to reduce confusion then? I've always disliked website login forms that are vague with what they want, especially when I haven't used a service in a while and forgot what I used to sign up with (eg. a username or an email), when all along the website is actually okay with both. @All Regardless, to avoid confusion, string manipulation should not occur on user-defined credentials before they are committed to the database. If characters need to be prohibited, it should be clearly stated which characters are allowed, and an error should occur if prohibited characters are used. If convenience needs to be present in the form of case-insensitive emails, string manipulation should occur on the *comparison* of provided and stored credentials; not upon creation.
OVERLORD commented 2026-02-05 17:46:04 +03:00
Author
Owner
Copy Link

@notAreYouScared commented on GitHub (Jan 25, 2026):

I cant think of a big service that has case sensitive login for usernames. I dont see how its an issue?

@notAreYouScared commented on GitHub (Jan 25, 2026): I cant think of a big service that has case sensitive login for usernames. I dont see how its an issue?
OVERLORD commented 2026-02-05 17:46:05 +03:00
Author
Owner
Copy Link

@parkervcp commented on GitHub (Jan 25, 2026):

case sensitive or not we are stripping dashes from usernames.

It's causing at least one person who expects a specific format to work and it's not. in theory red-thirten and Red-Thirten should be treated the same.

@parkervcp commented on GitHub (Jan 25, 2026): case sensitive or not we are stripping dashes from usernames. It's causing at least one person who expects a specific format to work and it's not. in theory `red-thirten` and `Red-Thirten` should be treated the same.
OVERLORD commented 2026-02-05 17:46:08 +03:00
Author
Owner
Copy Link

@redthirten commented on GitHub (Jan 25, 2026):

I cant think of a big service that has case sensitive login for usernames. I dont see how its an issue?

@notAreYouScared I'd prefer my username to be stored and displayed case-sensitive, and have the case ignored upon login. While annoying (to me), I will concede that this is not a big issue. However, removing the dash does fundamentally change the username by removing a character. If I create my account, save it to my password manager, and then logout, I will not be able to log back in (unless I knew that I could use my email instead, which the panel doesn't make clear, and that isn't what is stored in my manager).

@redthirten commented on GitHub (Jan 25, 2026): > I cant think of a big service that has case sensitive login for usernames. I dont see how its an issue? @notAreYouScared I'd prefer my username to be stored and displayed case-sensitive, and have the case ignored upon login. While annoying (to me), I will concede that this is not a big issue. However, removing the dash does fundamentally change the username by removing a character. If I create my account, save it to my password manager, and then logout, I will not be able to log back in (unless I knew that I could use my email instead, which the panel doesn't make clear, and that isn't what is stored in my manager).
OVERLORD commented 2026-02-05 17:46:10 +03:00
Author
Owner
Copy Link

@Boy132 commented on GitHub (Jan 25, 2026):

I agree that the unexpected sanitization of the username is a problem. Originally this was only done for subusers and then got refactored to apply to all users. I don't know why dashes were removed originally, this is probably a leftover from ancient times?

@Boy132 commented on GitHub (Jan 25, 2026): I agree that the unexpected sanitization of the username is a problem. Originally this was only done for subusers and then got refactored to apply to all users. I don't know why dashes were removed originally, this is probably a leftover from ancient times?
OVERLORD commented 2026-02-05 17:46:11 +03:00
Author
Owner
Copy Link

@notAreYouScared commented on GitHub (Jan 25, 2026):

I can take a look into it, we would also need to verify sftp works with a username with a -

@notAreYouScared commented on GitHub (Jan 25, 2026): I can take a look into it, we would also need to verify sftp works with a username with a -
OVERLORD commented 2026-02-05 17:46:14 +03:00
Author
Owner
Copy Link

@redthirten commented on GitHub (Jan 25, 2026):

I just checked Pterodactyl, and SFTP works on it with a dash. However, I just noticed it also makes usernames all lower case. I guess I just never noticed, because any time a user is displayed cosmetically it uses their first and last name instead, whereas Pelican seems to have removed those fields. Maybe lowercase is required to avoid confusion with SFTP usernames being case-sensitive?

For the record, I'm okay with prohibiting the dash if that's easier. It's the lack of communication to the end user that it will happen that is the problem.

@redthirten commented on GitHub (Jan 25, 2026): I just checked Pterodactyl, and SFTP works on it with a dash. However, I just noticed *it also* makes usernames all lower case. I guess I just never noticed, because any time a user is displayed cosmetically it uses their first and last name instead, whereas Pelican seems to have removed those fields. Maybe lowercase is required to avoid confusion with SFTP usernames being case-sensitive? For the record, I'm okay with prohibiting the dash if that's easier. It's the lack of communication to the end user that it will happen that is the problem.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
not confirmed
pull-request
Mirrored from GitHub Pull Request
 👑 sponsor
💰 fund
🔴 hard
🟡 medium
🟡 medium
🟡 medium
🟢 easy
🟢 easy
🟢 easy
No Label 🟢 easy
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
OVERLORD
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/panel-pelican-dev#556
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?