New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Investigate email casing #1763
Comments
Yes, username part should be kept as is. |
I believe Postgres is case insensitive for string queries by default. Most
email providers are also not case sensitive.
On Sat, Aug 11, 2018 at 12:21 PM Aditya Prakash ***@***.***> wrote:
except that the username portion of an email address (the bit before the
@) technically is case sensitive.
Yes, username part should be kept as is.
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
<#1763 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AAHQQkW2VdzS6RXU110EAO0fJPmRP2Sfks5uPwRzgaJpZM4V4dY9>
.
--
---
David Radcliffe
|
@dwradcliffe it doesn't appear to be set up that way, based on what I'm seeing.
This /might/ be simply an edge case, as the user in question was asking for help after not receiving their confirmation email, a common enough complain that is a larger, ongoing issue. I'm dubious this is a pressing concern, but wanted to at least get it down in an issue. |
👍 If we need to make an adjustment that's fine but let's make sure we're careful to not expose a security problem by allowing case sensitive emails. |
I've been previously recommended to store emails as lowercase for authentication purposes, but to store them exactly as the user typed them and use that version for sending any emails. |
so which way have we decided to go in with this issue? Maintaining different email to send mails or just to add a UI warning when the user puts email in uppercase? @kerrizor @dwradcliffe |
@anuragaryan Here's a plan.. @dwradcliffe thoughts?
|
@dwradcliffe if you've nothing else to add, I'm starting on this based on @kerrizor 's plan. |
Based on some previous experiences, having using lowercase emails is very helpful for the majority of users; as that's what they've come to expect due to how all the major providers deal with emails. I wouldn't suggest going with removing case normalization because you'll have cases like people opening the autocorrect capitalizing the first letter, then opening it later without autocorrect and not being able to login and being very confused. I would still recommend the two-fold solution:
|
@obahareth at DB side it is not needed to be stored twice, it is enough to create "lowered" index: CREATE UNIQUE INDEX lower_case_email ON users ((lower(email)));
SELECT username FROM users WHERE lower(email) = lower('Email@Email.com'); |
@simi wouldn't |
@anuragaryan depends on query then (if using |
@simi That's correct, what I meant was if some mail host allow case sensitive emails, then |
We should store exactly what is entered at signup, and send emails using that exact casing. However we should enforce uniqueness on lower(email). This might prevent someone from signing up (they would be using a rare email provider) but it will ensure that we don't open a huge security hole for most email providers. |
* Stores the email using exact casing as input * Index on lower(email) * Enforce uniqueness on lower(email) * Use Case insensitive email to login
@dwradcliffe @simi can we get the PR reviewed? |
* Fixes #1763 * Index on lower(email) * Enforce uniqueness on lower(email) * Use Case insensitive email to login
@anuragaryan I have revived your commit and opened PR at #4200. Sorry for the massive delay in here. Feel free to review. |
* Fixes #1763 * Index on lower(email) * Enforce uniqueness on lower(email) * Use Case insensitive email to login
* Fixes #1763 * Index on lower(email) * Enforce uniqueness on lower(email) * Use Case insensitive email to login
We had a user contact us via support to say that they weren't receiving an email confirmation. Investigating, it looks as if the system is storing their email address downcased. Fine, great.. except that the username portion of an email address (the bit before the
@
) technically is case sensitive.This is likely fine, as we seldom see them, but I wonder if we should at least add a UI warning, since users /may/ not receive the email that they expect?
The text was updated successfully, but these errors were encountered: