From e174ed93a4d68f02cbd15920c7c01b350230f844 Mon Sep 17 00:00:00 2001
From: root <root@vscode.infinity>
Date: Mon, 27 Apr 2026 03:26:12 +0000
Subject: [PATCH] fix(server): trim username whitespace on login like register
 does

register() strips leading/trailing whitespace from the username before
storing it; login() was not, so a user who typed " alice " at login
would get a 401 even though their account existed as "alice". Now both
handlers trim consistently.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 solitaire_server/src/auth.rs           |  3 ++-
 solitaire_server/tests/server_tests.rs | 23 +++++++++++++++++++++++
 2 files changed, 25 insertions(+), 1 deletion(-)

diff --git a/solitaire_server/src/auth.rs b/solitaire_server/src/auth.rs
index 0498e08..86bacf2 100644
--- a/solitaire_server/src/auth.rs
+++ b/solitaire_server/src/auth.rs
@@ -173,10 +173,11 @@ pub async fn login(
     State(pool): State<SqlitePool>,
     Json(body): Json<AuthRequest>,
 ) -> Result<Json<AuthResponse>, AppError> {
+    let username = body.username.trim().to_string();
     let row = sqlx::query_as!(
         UserRow,
         "SELECT id, password_hash FROM users WHERE username = ?",
-        body.username
+        username
     )
     .fetch_optional(&pool)
     .await?;
diff --git a/solitaire_server/tests/server_tests.rs b/solitaire_server/tests/server_tests.rs
index ddbe6d4..0fcb04a 100644
--- a/solitaire_server/tests/server_tests.rs
+++ b/solitaire_server/tests/server_tests.rs
@@ -873,3 +873,26 @@ async fn opt_out_hides_then_opt_in_restores() {
         "re-opted-in user must appear again"
     );
 }
+
+/// Login with leading/trailing whitespace in the username still succeeds.
+#[tokio::test]
+async fn login_trims_whitespace_from_username() {
+    set_jwt_secret();
+    let app = build_test_router(test_pool().await);
+
+    let _ = register_user(app.clone(), "trimtest", "password1!").await;
+
+    // Login with surrounding whitespace — should still authenticate.
+    let resp = post_json(
+        app,
+        "/api/auth/login",
+        serde_json::json!({ "username": "  trimtest  ", "password": "password1!" }),
+    )
+    .await;
+
+    assert_eq!(
+        resp.status(),
+        StatusCode::OK,
+        "login with whitespace-padded username must succeed"
+    );
+}