Opened 7 years ago

Closed 7 years ago

#4143 closed enhancement (fixed)

Case sensitivity regarding email in sign-up and password recovery

Reported by: Jonas Häggqvist Owned by: rails-dev@…
Priority: minor Milestone:
Component: website Version:
Keywords: Cc:

Description

I recently talked to a mapper who was having trouble recovering his password so he could accept ODbL. It turned out when he signed up, he had used a different case than usual when entering his email address, and the password recovery process is case sensitive.

I've found that signup is also case-sensitive. I managed to signup for two accounts on the api06.dev using RASHER@gmail and rasher@gmail.

Now, email is by standard case-sensitive on the local name part, so you could say we're following the standard, and be done with it. However, this is rarely - if ever - the case on mail servers in "the real world", and I suspect most users don't expect it, so I think there's still room to question whether this is a good idea.

A few possible things to do:

  • Make sign-up case-insensitive. This could probably be done without other harm than offending the standards, I suspect.
  • Make password-recovery case-insensitive. This becomes problematic if there are already accounts in the db using the same email with different case for the local name part.
  • Make password-recovery as case-insensitive as possible. Look up accounts matching the entered email address case-insensitively. If there's a single match, we act case-insensitively. If there are more than one match, require a case sensitive match as well. This gets around the problem of existing "double" accounts, at the cost of somewhat unexpected behaviour for those users.

Change History (4)

comment:1 Changed 7 years ago by Tom Hughes

We know that being case sensitive is not ideal, but it happened accidentally and by the time we realised there were duplicates in the database and it became very hard to do anything about it.

Basically only the third of your suggestions is realistically possible without somebody doing a lot of work to remove the duplicates.

comment:2 Changed 7 years ago by Jonas Häggqvist

Wouldn't the first option be possible as well? That is, preventing further such "duplicate" accounts?

Of course, all these points go for people using their email to log in as well, which I somehow overlooked.

As far as I can tell, implementing near-case-insensitivity for login and password recovery would only result in things working more as expected for the vast majority of users, and for unchanged behaviour for those with a "duplicate" account.

Only real problem I can see (besides needing someone to actually do it, of course) is if these two groups of people start talking to eachother.

comment:3 Changed 7 years ago by Tom Hughes

Probably, but it would have to be done very carefully to ensure that we didn't make it impossible for existing users to change their settings.

There is also the small fact that we would to bypass rails and do postgres specific hacks in the migrations to make this work as we would need to add function indexes on the user table.

comment:4 Changed 7 years ago by Tom Hughes

Resolution: fixed
Status: newclosed

Display names and email address are now required to be case insensitively unique when creating a new account or changing the name or address on an existing account.

In addition both login and password recovery will now allow a case insensitive match on the username so long as the match is unique - if it isn't unique then the entered name must match exactly.

Note: See TracTickets for help on using tickets.