Users created via Google OAUTH are case-sensitive


(Eric Eslinger) #1

I am setting Discourse up to work as an internal forum for users of a Google-Apps administered domain, let’s call it example.com.

I have users in example.com that I created directly as users in Discourse (because I am using mailcatcher instead of actually configuring SMTP while we’re dealing with initial setup and user testing, so I wanted to manually create the user and click the “register” link (instead of doing it via the rails console, since this is faster)).

The users I created via normal username-password creation are named firstname.lastname@example.com. Through an oversight, it seems most of these users actually have Firstname.Lastname@example.com as their official email address (in the user control panel on my google domain).

Once those users attempted to log in via Google OAUTH, it looks like the system created an additional account, named firstname.lastname@example.com. They’re in there twice, once with the nickname firstnamelastname (which I created manually) and once with Firstname_Lastname or Firstname_L (I imagine the user edited that).

Anyway, upon receiving oauth credentials from Google (or anywhere else, it might be a good idea to lower-casify; or look for lower-upper collisions. I’m not particularly worried here (since the majority of my users will just log in via google all the time, so no real collisions will happen), but it seems like there’d be a real authentication / trust collision problem. If some malicious user created Eric.Eslinger@example.com, then spammed the boards with stuff, would that go through, or is this just an OAUTH peculiarity?


(Jeff Atwood) #2

The official spec says that email addresses (but not domain names) are case sensitive. Therefore we treat email addresses as case sensitive.

So I would look strongly at correcting that on your end.


(Eric Eslinger) #3

So, you’re okay then, with people registering multiple Discourse accounts on the same email address, varying only the capitalization?

I guess I could do the same thing with me+one@gmail and m.e@gmail and so on. I guess as long as it’s impossible to activate an account without access to the email identity in question, so impersonating somebody would be difficult. Still, it strikes me as something that’d be possible to abuse.

Of course, if I don’t like it, I can always add my own normalization logic to the registration process.


(Sam Saffron) #4

Actually regardless of spec I would prefer we always normailzed emails. Including normalizing off the + addressing.

It feels wrong to have 2 users on the forum with email that just differs on casing.

Open to a PR that allows a site setting to normalize emails. It is a bit tricky though cause we would need an extra field on User.


(Jeff Atwood) #5

We no longer treat emails as case sensitive, so this should be resolved.


(Jeff Atwood) #6