From: Tom Hughes <tom@compton.nu>
Date: Tue, 13 Feb 2024 18:48:17 +0000 (+0000)
Subject: Merge remote-tracking branch 'upstream/pull/4515'
X-Git-Tag: live~856
X-Git-Url: https://git.openstreetmap.org./rails.git/commitdiff_plain/c9b891ce0a5c109e678a173309056c9586daec4b?hp=f0a64eacbcb1a72dcec4b1a6bbf01c2e1839cdd0

Merge remote-tracking branch 'upstream/pull/4515'
---

diff --git a/app/controllers/sessions_controller.rb b/app/controllers/sessions_controller.rb
index ba2858ce4..3c2084a5b 100644
--- a/app/controllers/sessions_controller.rb
+++ b/app/controllers/sessions_controller.rb
@@ -20,7 +20,7 @@ class SessionsController < ApplicationController
   def create
     session[:remember_me] ||= params[:remember_me]
     session[:referer] = safe_referer(params[:referer]) if params[:referer]
-    password_authentication(params[:username], params[:password])
+    password_authentication(params[:username].strip, params[:password])
   end
 
   def destroy
diff --git a/test/controllers/sessions_controller_test.rb b/test/controllers/sessions_controller_test.rb
index a94a9a158..4234bee70 100644
--- a/test/controllers/sessions_controller_test.rb
+++ b/test/controllers/sessions_controller_test.rb
@@ -48,6 +48,14 @@ class SessionsControllerTest < ActionDispatch::IntegrationTest
     post login_path, :params => { :username => user.display_name, :password => "test" }
     assert_response :redirect
     assert_redirected_to root_path
+
+    post login_path, :params => { :username => " #{user.display_name}", :password => "test" }
+    assert_response :redirect
+    assert_redirected_to root_path
+
+    post login_path, :params => { :username => "#{user.display_name} ", :password => "test" }
+    assert_response :redirect
+    assert_redirected_to root_path
   end
 
   def test_logout_without_referer