Password reset email may be case sensitive

[Mike-Heneghan]

Investigate and fix

[Mike-Heneghan]

If a user tries to reset their password and they have the wrong case for their email they will be sent a recovery password for their account. Although that email will be sent as per the incorrect case email submitted.

For example:

• A user with email b5249588@urhen.com tries to reset password with B5249588@urhen.com
• Their account is recognised with username b5249588@urhen.com and the reset is sent to B5249588@urhen.com

From googling, it looks like emails are case sensitive but a lot of email providers support your email address with all its different cases. https://www.lifewire.com/are-email-addresses-case-sensitive-1171111

So I believe this means that if a user uses the wrong case on their email for a password reset it should still be delivered to them.

It also appears that user login is case sensitive which may partially due to security. I think Django as standard follows the standard stating emails should be case sensitive.

[Mike-Heneghan]

The account signup is not case sensitive and would therefore not allow a new user to be created with B5249588@urhen.com if a user with b5249588@urhen.com already exists.

[Mike-Heneghan]

https://webmasters.stackexchange.com/questions/34056/is-it-ok-to-use-uppercase-letters-in-an-email-address/34058

[Mike-Heneghan]

As the project already seems to follow best practices in regard to email case sensitivity the best option could be to better educate the user. This could involve:

• [x] Make it clear that example@aliss.org is not the same as Example@aliss.org when logging in.
• [x] On reset password remind the user to check the email is the correct combination of upper and lowercase characters.
  • [x] Add a prompt for users to contact the ALISS team if they are still having issues logging in.

[Mike-Heneghan]

Merged into master