From 6690a28cc0c7b2444058218c5c9a20091b99581c Mon Sep 17 00:00:00 2001
From: "Cleopatra Enjeck M." <patrathewhiz@gmail.com>
Date: Mon, 24 Feb 2025 06:17:00 +0000
Subject: [PATCH 1/3] fix: Use case insensitive check when validating login
 name

Signed-off-by: Cleopatra Enjeck M. <patrathewhiz@gmail.com>
---
 lib/private/User/Session.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/private/User/Session.php b/lib/private/User/Session.php
index 408ebffb390..77993f737a5 100644
--- a/lib/private/User/Session.php
+++ b/lib/private/User/Session.php
@@ -780,7 +780,7 @@ class Session implements IUserSession, Emitter {
 	 * Check if login names match
 	 */
 	private function validateTokenLoginName(?string $loginName, IToken $token): bool {
-		if ($token->getLoginName() !== $loginName) {
+		if (strtolower($token->getLoginName() ?? '') !== strtolower($loginName ?? '')) {
 			// TODO: this makes it impossible to use different login names on browser and client
 			// e.g. login by e-mail 'user@example.com' on browser for generating the token will not
 			//      allow to use the client token with the login name 'user'.

From a6d6a1fa9e0db43e6b33e8874b979cc1f87d8be5 Mon Sep 17 00:00:00 2001
From: "Cleopatra Enjeck M." <patrathewhiz@gmail.com>
Date: Tue, 25 Feb 2025 06:36:53 +0000
Subject: [PATCH 2/3] fix: Improve string comparison

Signed-off-by: Cleopatra Enjeck M. <patrathewhiz@gmail.com>
---
 lib/private/User/Session.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/private/User/Session.php b/lib/private/User/Session.php
index 77993f737a5..7a21473d20c 100644
--- a/lib/private/User/Session.php
+++ b/lib/private/User/Session.php
@@ -780,7 +780,7 @@ class Session implements IUserSession, Emitter {
 	 * Check if login names match
 	 */
 	private function validateTokenLoginName(?string $loginName, IToken $token): bool {
-		if (strtolower($token->getLoginName() ?? '') !== strtolower($loginName ?? '')) {
+		if (strcasecmp($token->getLoginName(), $loginName ?? '') !== 0) {
 			// TODO: this makes it impossible to use different login names on browser and client
 			// e.g. login by e-mail 'user@example.com' on browser for generating the token will not
 			//      allow to use the client token with the login name 'user'.

From 32e46a8b3ae2939491949f914f0e6530f7e4157e Mon Sep 17 00:00:00 2001
From: "Cleopatra Enjeck M." <patrathewhiz@gmail.com>
Date: Mon, 3 Mar 2025 04:18:59 +0000
Subject: [PATCH 3/3] fix: use mb_strtolower to convert login name

Signed-off-by: Cleopatra Enjeck M. <patrathewhiz@gmail.com>
---
 lib/private/User/Session.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/private/User/Session.php b/lib/private/User/Session.php
index 7a21473d20c..9a5713630c5 100644
--- a/lib/private/User/Session.php
+++ b/lib/private/User/Session.php
@@ -780,7 +780,7 @@ class Session implements IUserSession, Emitter {
 	 * Check if login names match
 	 */
 	private function validateTokenLoginName(?string $loginName, IToken $token): bool {
-		if (strcasecmp($token->getLoginName(), $loginName ?? '') !== 0) {
+		if (mb_strtolower($token->getLoginName()) !== mb_strtolower($loginName ?? '')) {
 			// TODO: this makes it impossible to use different login names on browser and client
 			// e.g. login by e-mail 'user@example.com' on browser for generating the token will not
 			//      allow to use the client token with the login name 'user'.