fix(auth): case-insensitive owner migration on username rename (#1183)

Use func.lower() when updating SQL owner columns, match prefs keys case-insensitively, and normalize session usernames before comparing during rename. Prevents silently skipping legacy mixed-case owner data. Fixes #1165
2026-06-16 17:55:26 -04:00 · 2026-06-02 19:48:15 +05:30
parent 5b87e69221
commit 6b7dd4ea28
3 changed files with 99 additions and 5 deletions
@@ -297,6 +297,7 @@ def setup_auth_routes(auth_manager: AuthManager) -> APIRouter:
        # owner-scoped DB rows before changing auth so the account keeps
        # access to its sessions, docs, email accounts, tasks, etc.
        try:
+            from sqlalchemy import func
            from core.database import Base, SessionLocal
            db = SessionLocal()
            try:
@@ -306,7 +307,7 @@ def setup_auth_routes(auth_manager: AuthManager) -> APIRouter:
                        continue
                    (
                        db.query(model)
-                        .filter(model.owner == old_username)
+                        .filter(func.lower(model.owner) == old_username)
                        .update({"owner": new_username}, synchronize_session=False)
                    )
                db.commit()
@@ -324,9 +325,15 @@ def setup_auth_routes(auth_manager: AuthManager) -> APIRouter:
            from routes.prefs_routes import _load as _load_prefs, _save as _save_prefs
            prefs = _load_prefs()
            users = prefs.get("_users") if isinstance(prefs, dict) else None
-            if isinstance(users, dict) and old_username in users and new_username not in users:
-                users[new_username] = users.pop(old_username)
-                _save_prefs(prefs)
+            if isinstance(users, dict):
+                prefs_key = next(
+                    (k for k in users if str(k).strip().lower() == old_username),
+                    None,
+                )
+                new_taken = any(str(k).strip().lower() == new_username for k in users)
+                if prefs_key is not None and not new_taken:
+                    users[new_username] = users.pop(prefs_key)
+                    _save_prefs(prefs)
        except Exception as e:
            logger.warning("Failed to rename user prefs %s -> %s: %s", old_username, new_username, e)