Password resets are case sensitive, but should not be.

[tonyc]

If you register with the email address User@example.com (note the uppercase U), you can't sign in with user@example.com, or sign-up again because the system isn't using LOWER(email) when checking.

[experimatt]

🤦‍♂️

[tonyc]

I just tested this a bit more, and this isn't actually the case. (tested with my own account).

Sorry for the noise!

[tonyc]

This has resurfaced, but it's actually an issue with password resets: If you try to reset your password, but don't enter your email exactly how it is in the database, it will fail to find the record.

https://github.com/minnestar/sessionizer/blob/master/src/app/controllers/password_resets_controller.rb#L9

The query that PasswordResetsController uses to find the participant should do a case-insensitive search, e.g. something like:

def Participant.find_by_case_insensitive_email(email)
  where(['lower(email) = ?', email.to_s.downcase]).first
end

[pcantrell]

…or we should normalize emails to lowercase in a pre-save hook, so they're still indexable. Not that it matters on a DB of this size.

[tonyc]

I believe AuthLogic looks at the model's validation for the case-sensitivity, and since the validation on Participant is set to :case_sensitive => false (here), it's not taking case into account in the first place.. so probably a oneliner fix above is good enough