[BUG] Same email can be used more than once

Question

[BUG] Same email can be used more than once

Closed this issue 2 years ago · 7 comments

Describe the bug

Users can sign up with the same email associated with multiple accounts. This is currently blocked by simply checking if the user entered email exists in the database, but is case sensitive. Thus, user@example.com and User@example.com are treated as different users, even though they point to the same mailbox.

Expected Behavior

Only one of these emails should be allowed to register; the first one entered.

Current Behavior

Both emails are allowed to be used.

Possible Solution

All emails should be converted to lowercase whenever they are being accessed/compared/stored.
This includes:

signing up
logging in
emails in the database

Steps to Reproduce

Create a user with some email
Create another user with the same email, but different capitalization
Observe that both accounts can be created

Context (Environment)

Doesn't matter, this exists in every version and platform

Answer 1 · 2022-10-03T23:14:39.000Z

To be merged into v3.3.0

Answer 2 · 2022-10-17T21:37:29.000Z

Emails like a+b@gmail.com and a+c@gmail.com are also both accepted, even though both go to the same email.

Answer 3 · 2022-10-20T13:38:36.000Z

Can I work on this bug for hacktober fest? @jdabtieu

Answer 4 · 2022-10-20T13:43:31.000Z

Yup, that's great!

…

On Thu, Oct 20, 2022, 09:38 Aman Kumar ***@***.***> wrote: Can I work on this bug for hacktober fest? @jdabtieu <https://github.com/jdabtieu> — Reply to this email directly, view it on GitHub <#141 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AO5NUGUR72SWCYSHFG6OXRDWEFDOPANCNFSM5N7I2BZA> . You are receiving this because you were mentioned.Message ID: ***@***.***>

Answer 5 · 2022-10-20T13:52:27.000Z

@jdabtieu One ques do you want this validation to be added on email only or on username also?

Answer 6 · 2022-10-20T13:54:39.000Z

That's a good point! Both would be great, but email at a minimum.

…

On Thu, Oct 20, 2022, 09:52 Aman Kumar ***@***.***> wrote: @jdabtieu <https://github.com/jdabtieu> One ques do you want this validation to be added on email only or on username also? — Reply to this email directly, view it on GitHub <#141 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AO5NUGWGETRLFQHP5PSURTLWEFFCNANCNFSM5N7I2BZA> . You are receiving this because you were mentioned.Message ID: ***@***.***>

Answer 7 · 2023-03-05T23:17:31.000Z

The naive way to implement this seems to be to

Reject any email with + character
Warn users that their emails will be lowercased
Lowercase emails before this
Add tests for the above
Lowercase all emails in DB in the migrate script