Remote Auth does not sanitize usernames #6632

New Issue

adam · 2025-12-29T19:43:19+01:00

adam commented

2025-12-29 19:43:19 +01:00

Originally created by @D3luxee on GitHub (Jul 6, 2022).

Originally assigned to: @arthanson on GitHub.

NetBox version

v3.2.2

Python version

3.10

Steps to Reproduce

Setup netbox with remote auth based on netbox.authentication.RemoteUserBackend / Header
Auto Create User must be enabled, see configuration example below
Now open netbox and set the define AUTH_HEADER to a username that contains invalid characters like : which is used for example by Google IAP
This creates a new user in netbox, now open the admin interface of netbox and try to change anything in the user (/admin/auth/user/)
The user edit dialog validates the username if you change something, the frontend does not allow saving any changes there because of an invalid character in the username.

REMOTE_AUTH_ENABLED: true
REMOTE_AUTH_BACKEND: "netbox.authentication.RemoteUserBackend"
REMOTE_AUTH_HEADER: "HTTP_X_GOOG_AUTHENTICATED_USER_EMAIL"
REMOTE_AUTH_AUTO_CREATE_USER: true

Expected Behavior

Netbox should sanitize the usernames that are provided via REMOTE_AUTH_HEADER to create valid usernames.

Observed Behavior

Google IAPs headers have a value of: accounts.google.com:example@gmail.com and it creates a new user based on this in netbox.
But the admin dialogs to change or update those user accounts validates the username and rejects any changes because of invalid characters in the username:

Enter a valid username. This value may contain only letters, numbers, and @/./+/-/_ characters.

Originally created by @D3luxee on GitHub (Jul 6, 2022). Originally assigned to: @arthanson on GitHub. ### NetBox version v3.2.2 ### Python version 3.10 ### Steps to Reproduce 1. Setup netbox with remote auth based on netbox.authentication.RemoteUserBackend / Header 2. Auto Create User must be enabled, see configuration example below 3. Now open netbox and set the define AUTH_HEADER to a username that contains invalid characters like `:` which is used for example by Google IAP 4. This creates a new user in netbox, now open the admin interface of netbox and try to change anything in the user (/admin/auth/user/) 5. The user edit dialog validates the username if you change something, the frontend does not allow saving any changes there because of an invalid character in the username. ``` REMOTE_AUTH_ENABLED: true REMOTE_AUTH_BACKEND: "netbox.authentication.RemoteUserBackend" REMOTE_AUTH_HEADER: "HTTP_X_GOOG_AUTHENTICATED_USER_EMAIL" REMOTE_AUTH_AUTO_CREATE_USER: true ``` ### Expected Behavior Netbox should sanitize the usernames that are provided via REMOTE_AUTH_HEADER to create valid usernames. ### Observed Behavior Google IAPs headers have a value of: `accounts.google.com:example@gmail.com` and it creates a new user based on this in netbox. But the admin dialogs to change or update those user accounts validates the username and rejects any changes because of invalid characters in the username: `Enter a valid username. This value may contain only letters, numbers, and @/./+/-/_ characters.`

adam added the type: bug status: accepted labels 2025-12-29 19:43:19 +01:00

adam closed this issue

2025-12-29 19:43:19 +01:00

adam commented

2025-12-29 19:43:21 +01:00

@jeremystretch commented on GitHub (Jul 6, 2022):

Thank you for opening a bug report. Unfortunately, the information you have provided is not sufficient for someone else to attempt to reproduce the reported behavior. Remember, each bug report must include detailed steps that someone else can follow on a clean, empty NetBox installation to reproduce the exact problem you're experiencing. These instructions should include the creation of any involved objects, any configuration changes, and complete accounting of the actions being taken. Also be sure that your report does not reference data on the public NetBox demo, as that is subject to change at any time by an outside party and cannot be relied upon for bug reports.

@jeremystretch commented on GitHub (Jul 6, 2022): Thank you for opening a bug report. Unfortunately, the information you have provided is not sufficient for someone else to attempt to reproduce the reported behavior. Remember, each bug report must include detailed steps that someone else can follow on a clean, empty NetBox installation to reproduce the exact problem you're experiencing. These instructions should include the creation of any involved objects, any configuration changes, and complete accounting of the actions being taken. Also be sure that your report does not reference data on the public NetBox demo, as that is subject to change at any time by an outside party and cannot be relied upon for bug reports.

adam commented

2025-12-29 19:43:21 +01:00

@D3luxee commented on GitHub (Jul 7, 2022):

Hi @jeremystretch
i updated the steps to reproduce, bascially the issue is that the remote auth based on the header is able to create users with usernames that are not possible to create via the frontend and therefor youre not able to edit those users via the admin ui.

@D3luxee commented on GitHub (Jul 7, 2022): Hi @jeremystretch i updated the steps to reproduce, bascially the issue is that the remote auth based on the header is able to create users with usernames that are not possible to create via the frontend and therefor youre not able to edit those users via the admin ui.

adam commented

2025-12-29 19:43:21 +01:00

@github-actions[bot] commented on GitHub (Sep 7, 2022):

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. NetBox is governed by a small group of core maintainers which means not all opened issues may receive direct feedback. Do not attempt to circumvent this process by "bumping" the issue; doing so will result in its immediate closure and you may be barred from participating in any future discussions. Please see our contributing guide.

@github-actions[bot] commented on GitHub (Sep 7, 2022): This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. NetBox is governed by a small group of core maintainers which means not all opened issues may receive direct feedback. **Do not** attempt to circumvent this process by "bumping" the issue; doing so will result in its immediate closure and you may be barred from participating in any future discussions. Please see our [contributing guide](https://github.com/netbox-community/netbox/blob/develop/CONTRIBUTING.md).

adam referenced this issue

2025-12-29 22:25:47 +01:00

[PR #6790] [MERGED] Fixes #6632 - Allow a /32 prefix to contain a /32 ipaddress #13171

adam referenced this issue

2025-12-29 22:25:56 +01:00

[PR #7018] [MERGED] Release v2.11.12 #13197

Sign in to join this conversation.

Branches Tags

main

update-changelog-comments-docs

feature-removal-issue-type

20911-dropdown

20239-plugin-menu-classes-mutable-state

21097-graphql-id-lookups

feature

fix_module_substitution

20923-dcim-templates

20044-elevation-stuck-lightmode

feature-ip-prefix-link

v4.5-beta1-release

20068-import-moduletype-attrs

20766-fix-german-translation-code-literals

20378-del-script

7604-filter-modifiers-v3

circuit-swap

12318-case-insensitive-uniqueness

20637-improve-device-q-filter

20660-script-load

19724-graphql

20614-update-ruff

14884-script

02496-max-page

19720-macaddress-interface-generic-relation

19408-circuit-terminations-export-templates

20203-openapi-check

fix-19669-api-image-download

7604-filter-modifiers

19275-fixes-interface-bulk-edit

fix-17794-get_field_value_return_list

11507-show-aggregate-and-rir-on-api

9583-add_column_specific_search_field_to_tables

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/netbox#6632