🐛 Bug Report: Email comparison is case sensitive #113

New Issue

Closed

opened 2025-10-07 23:53:34 +03:00 by OVERLORD · 5 comments

OVERLORD commented 2025-10-07 23:53:34 +03:00

Owner

Copy Link

Originally created by @yann117 on GitHub.

Originally assigned to: @kmendell on GitHub.

Reproduction steps

When using the "Email login" (requesting a one-time code per email), the end-user has to type in their email, which is then searched in the database for a match, and if found, it will send the code to the corresponding email.

Now the code doesn't make a case-insensitive search, and therefore any case difference will fail.

This makes the login process quite fragile, inconsistent, in particular for end-users who won't be able to login on this new system (they are already lost with just the access keys concept).

This is particularly true since on Android mobile, the system will automatically change the first typed-in character of the user-input/email in Uppercase, making the process fail in 100% of the cases.

Expected behavior

I don't know any system that makes use of case-sensitive emails, it should not make any difference.

PocketId should make case-insensitive emails comparison, to ensure a robust, resilient login mechanism.

Actual Behavior

The code makes a simple search (assuming case-sensitive):
https://github.com/pocket-id/pocket-id/blob/main/backend/internal/service/user_service.go#L358

(I also quickly searched into the frontend code, and haven't found a tolowercase or any similar handling).

Version and Environment

latest

Log Output

No response

Originally created by @yann117 on GitHub. Originally assigned to: @kmendell on GitHub. ### Reproduction steps When using the "Email login" (requesting a one-time code per email), the end-user has to type in their email, which is then searched in the database for a match, and if found, it will send the code to the corresponding email. Now the code doesn't make a case-insensitive search, and therefore any case difference will fail. This makes the login process quite _fragile_, inconsistent, in particular for end-users who won't be able to login on this new system (they are already lost with just the _access keys_ concept). This is particularly true since on Android mobile, the system **will automatically change the first typed-in character of the user-input/email in Uppercase**, making the process fail in 100% of the cases. ### Expected behavior I don't know any system that makes use of case-sensitive emails, it should not make any difference. PocketId should make **case-insensitive** emails comparison, to ensure a robust, resilient login mechanism. ### Actual Behavior The code makes a simple search (assuming case-sensitive): https://github.com/pocket-id/pocket-id/blob/main/backend/internal/service/user_service.go#L358 (I also quickly searched into the frontend code, and haven't found a _tolowercase_ or any similar handling). ### Version and Environment latest ### Log Output _No response_

OVERLORD closed this issue 2025-10-07 23:53:35 +03:00

OVERLORD commented 2025-10-07 23:53:36 +03:00

Author

Owner

Copy Link

@yann117 commented on GitHub:

Just a note that the "local part" of email addresses (before the @) should be treated as case-sensitive per the RFC. More info here: https://stackoverflow.com/a/9808332/192024

ChatGPT tell me that this is the wrong RFC, RFC 1035 applies to DNS/domain. For Emails it would be RFC 5321 (section 2.4).

But anyway, this is only for the SMTP server and probably does not make sense/meant for matching userId (only case would be when sending an email to the corresponding user, I assume we should take the exact email set for the user account).

Going further, I read that 99% of email providers do not apply this RFC/case sensitivity to avoid errors. In practice, this really looks like overkill and PocketId would probably be the only one doing that as an exception ... with the observed common failure due to the Android UI fiddling with user input.

@yann117 commented on GitHub: > Just a note that the "local part" of email addresses (before the `@`) should be treated as case-sensitive per the RFC. More info here: https://stackoverflow.com/a/9808332/192024 ChatGPT tell me that this is the wrong RFC, RFC 1035 applies to DNS/domain. For Emails it would be RFC 5321 (section 2.4). But anyway, this is only for the SMTP server and probably does not make sense/meant for matching userId (only case would be when sending an email to the corresponding user, I assume we should take the exact email set for the user account). Going further, I read that 99% of email providers do not apply this RFC/case sensitivity to avoid errors. In practice, this really looks like overkill and PocketId would probably be the only one doing that as an exception ... with the observed common failure due to the Android UI fiddling with user input.

OVERLORD commented 2025-10-07 23:53:37 +03:00

Author

Owner

Copy Link

@ItalyPaleAle commented on GitHub:

#776 should fix this by setting type="email" on the input, which disables auto-capitalization

@ItalyPaleAle commented on GitHub: #776 should fix this by setting `type="email"` on the input, which disables auto-capitalization

OVERLORD commented 2025-10-07 23:53:37 +03:00

Author

Owner

Copy Link

@ItalyPaleAle commented on GitHub:

Perhaps the fix would be on the UI then, to disable auto-capitalization on the user input field

@ItalyPaleAle commented on GitHub: Perhaps the fix would be on the UI then, to disable auto-capitalization on the user input field

OVERLORD commented 2025-10-07 23:53:38 +03:00

Author

Owner

Copy Link

@kmendell commented on GitHub:

I'll work on this later tonight, Thank you for reporting!

@kmendell commented on GitHub: I'll work on this later tonight, Thank you for reporting!

OVERLORD commented 2025-10-07 23:53:39 +03:00

Author

Owner

Copy Link

@ItalyPaleAle commented on GitHub:

Just a note that the "local part" of email addresses (before the @) should be treated as case-sensitive per the RFC. More info here: https://stackoverflow.com/a/9808332/192024

@ItalyPaleAle commented on GitHub: Just a note that the "local part" of email addresses (before the `@`) should be treated as case-sensitive per the RFC. More info here: https://stackoverflow.com/a/9808332/192024

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

oidc-scopes

breaking/v2

i18n_crowdin

v2/use-item-component

default-env-db-keys

slog-gorm

v1.16.0

v1.15.0

v1.14.2

v1.14.1

v1.14.0

v1.13.1

v1.13.0

v1.12.0

v1.11.2

v1.11.1

v1.11.0

v1.10.0

v1.9.1

v1.9.0

v1.8.1

v1.8.0

v1.7.0

v1.6.4

v1.6.3

v1.6.2

v1.6.1

v1.6.0

v1.5.0

v1.4.1

v1.4.0

v1.3.1

v1.3.0

v1.2.0

v1.1.0

v1.0.0

v0.53.0

v0.52.0

v0.51.1

v0.51.0

v0.50.0

v0.49.0

v0.48.0

v0.47.0

v0.46.0

v0.45.0

v0.44.0

v0.43.1

v0.43.0

v0.42.1

v0.42.0

v0.41.0

v0.40.1

v0.40.0

v0.39.0

v0.38.0

v0.37.0

v0.36.0

v0.35.6

v0.35.5

v0.35.4

v0.35.3

v0.35.2

v0.35.1

v0.35.0

v0.34.0

v0.33.0

v0.32.0

v0.31.0

v0.30.0

v0.29.0

v0.28.1

v0.28.0

v0.27.2

v0.27.1

v0.27.0

v0.26.0

v0.25.1

v0.25.0

v0.24.1

v0.24.0

v0.23.0

v0.22.0

v0.21.0

v0.20.1

v0.20.0

v0.19.0

v0.18.0

v0.17.0

v0.16.0

v0.15.0

v0.14.0

v0.13.1

v0.13.0

v0.12.0

v0.11.0

v0.10.0

v0.9.0

v0.8.1

v0.8.0

v0.7.1

v0.7.0

v0.6.0

v0.5.3

v0.5.2

v0.5.1

v0.5.0

v0.4.1

v0.4.0

v0.3.1

v0.3.0

v0.2.1

v0.2.0

v0.1.3

v0.1.2

v0.1.1

v0.1.0

Labels

Clear labels

breaking

bug

documentation

feature

needs more upvotes

open to pull requests

pull-request

Mirrored from GitHub Pull Request

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

OVERLORD

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/pocket-id-pocket-id-1#113