Open Dittse opened 6 years ago
bjost2s
commented
6 years ago Well, the hint "maybe you have spelled it wrong" is correct, or? So your intention is to change the user given email adress to be lowercase. This is not a bug. We have stored the email in the database as it is. I personally think this makes everything more insecure, but let's discuss this and also how we would like to handle already stored email adresses.
Dittse
commented
6 years ago I just think that it confuses the user if nowhere else the upper and lower case of the email address is important but here it is.
rbudde
commented
5 years ago lets store the email address as the user typed it and use equalsIgnoreCase when comparing
rbudde
commented
4 years ago It turns out, that according to stackoverflow "the part before the @ could be case-sensitive, since it is entirely under the control of the host system. In practice though, no widely used mail systems distinguish different addresses based on case. The part after the @ sign however is the domain and according to RFC 1035, section 3.1, name servers and resolvers must compare [domains] in a case-insensitive manner". Thus we can use a case insensitive compare.
But we have to guarantee, that no mail addresses are actually used in our database which differ only in upper/lower case.
schrodingersca8
commented
4 years ago @bjost2s I would like to work on this issue if it is still open.
boonto
commented
4 years ago Hey @kuruma99 this issue is a pretty tough one and we are not really sure how to solve it yet ourselves, so it is definitely not suitable for beginners (although it seems easy).
rishabhdeepsingh
commented
4 years ago @boonto Maybe it will be great if we set new users' e-mail to lowercased and then at the front end whenever a new user resets the password that will be automatically lowercased and sent to the backend for reset. For old users, we need to switch the case manually in the backend to the lowercase.
bjost2s
commented
4 years ago @rishabhdeepsingh , as @rbudde already mentioned, we should not change the users email because the user might be unreachable or we might connect another user with the account.
rishabhdeepsingh
commented
4 years ago That means we only need to check if there are some users with the same emails. Which I think is impossible as email providers don't allow this kind of thing. Example: Example@gmail.com and example@gmail.com will be the same emails.
And if we have two different users with the same emails and different cases, The one with the original email can get the account of the Other if the other user sends a password reset request. It is also possible to create two different accounts with the same email. I created one with rishabhdeepsingh98@gmail.com and one with Rishabhdeepsingh98@gmail.com
bjost2s
commented
3 years ago Proposed solution:
rishabhdeepsingh
commented
3 years ago In this solution, users can have a hard time remembering which letters are upper or lower cased. IMO email should never be case-sensitive. neither is on most of the platforms.
rbudde
commented
3 years ago you are right. See my comment from 12 Nov 2019.
We have the problem, that we HAVE users in the database with email, that differs w.r.t. upper/lower-case. Should we remove these? And the programs? Or move to one of the accounts? What if the name are the same, but programs differ?
rishabhdeepsingh
commented
3 years ago I think we can move them to 1 account. or ask the user to move them in case they have access to all those accounts. the naming of programs can be resolved by just replacing them with additional numbering at the end.
If the entered email address differs in upper and lower case from the one stored in the account, it will not be recognized.