openpredictionmarkets · fabian-mv · Feb 27, 2026
diff --git a/backend/middleware/loggin.go b/backend/middleware/loggin.go
@@ -7,6 +7,7 @@ import (
 	"socialpredict/models"
 	"socialpredict/security"
 	"socialpredict/util"
+	"strings"
 	"time"
 
 	"github.com/golang-jwt/jwt/v4"
@@ -47,6 +48,9 @@ func LoginHandler(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
+	// Trim whitespace from username before validation
+	req.Username = strings.TrimSpace(req.Username)
+
 	// Validate and sanitize login input
 	if err := securityService.Validator.ValidateStruct(req); err != nil {
 		http.Error(w, "Invalid input: "+err.Error(), http.StatusBadRequest)

diff --git a/backend/middleware/middleware_test.go b/backend/middleware/middleware_test.go
@@ -8,6 +8,7 @@ import (
 	"os"
 	"socialpredict/models"
 	"socialpredict/models/modelstesting"
+	"socialpredict/util"
 	"testing"
 	"time"
 
@@ -235,6 +236,11 @@ func TestLoginHandler_ValidationFailure(t *testing.T) {
 			username: "Test@User",
 			password: "password123",
 		},
+		{
+			name:     "Username with only whitespace",
+			username: "   ",
+			password: "password123",
+		},
 	}
 
 	for _, tt := range tests {
@@ -257,6 +263,61 @@ func TestLoginHandler_ValidationFailure(t *testing.T) {
 	}
 }
 
+func TestLoginHandler_TrimsUsernameWhitespace(t *testing.T) {
+	db := modelstesting.NewFakeDB(t)
+	util.DB = db
+
+	testUser := modelstesting.GenerateUser("testuser", 1000)
+	if err := testUser.HashPassword("password123"); err != nil {
+		t.Fatalf("Failed to hash password: %v", err)
+	}
+	if err := db.Create(&testUser).Error; err != nil {
+		t.Fatalf("Failed to create test user: %v", err)
+	}
+
+	// Test that usernames with leading/trailing spaces are trimmed before DB lookup
+	tests := []struct {
+		name     string
+		username string
+		password string
+	}{
+		{
+			name:     "Username with leading space",
+			username: " testuser",
+			password: "password123",
+		},
+		{
+			name:     "Username with trailing space",
+			username: "testuser ",
+			password: "password123",
+		},
+		{
+			name:     "Username with both leading and trailing spaces",
+			username: " testuser ",
+			password: "password123",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			loginReq := map[string]string{
+				"username": tt.username,
+				"password": tt.password,
+			}
+			jsonData, _ := json.Marshal(loginReq)
+
+			req := httptest.NewRequest(http.MethodPost, "/login", bytes.NewBuffer(jsonData))
+			w := httptest.NewRecorder()
+
+			LoginHandler(w, req)
+
+			if w.Code != http.StatusOK {
+				t.Errorf("Usernames should be trimmed before DB lookup. Expected status code %d, got %d (body: %s)", http.StatusOK, w.Code, w.Body.String())
+			}
+		})
+	}
+}
+
 func TestValidateTokenAndGetUser_MissingHeader(t *testing.T) {
 	db := modelstesting.NewFakeDB(t)
 

diff --git a/frontend/src/components/modals/login/LoginModal.jsx b/frontend/src/components/modals/login/LoginModal.jsx
@@ -17,7 +17,7 @@ const LoginModal = ({ isOpen, onClose, onLogin, redirectAfterLogin }) => {
         setError('');
 
         try {
-            const loginSuccess = await onLogin(username, password);
+            const loginSuccess = await onLogin(username.trim(), password);
             if (loginSuccess) {
                 onClose();
                 history.push(redirectAfterLogin);