Force case insensitivity for new emails, existing.

There is a legacy bug I just caught, where many accounts would have the
same email but then have different casing. In extreme scenarios, this
would lead to them creating a new user with the same email, or having
issues with password reset and username lookup.

This doesn't merge in the existing duplicates, but makes sure to only
allow insensitive lowercase emails from here on out. It also will check
for emails in a case insensitive way for such things as resets and
logins if the sensitive lookup doesn't work.

The implementation was not wrong per se - email is supposed to be case sensitive
for usernames. But of course, nobody (nor do most/all email servers) treat
them that way, leading to confusion situations where the user sometimes
camelcases their email and then switches to lowercase later.
This commit is contained in:
Kyle Drake 2017-12-08 22:13:27 -08:00
parent 33054a8298
commit d467e9be96
5 changed files with 52 additions and 7 deletions

View file

@ -60,6 +60,17 @@ describe 'signin' do
page.must_have_content 'Your Feed'
end
it 'signs in with invalid case username' do
pass = SecureRandom.hex
@site = Fabricate :site, password: pass
visit '/'
click_link 'Sign In'
fill_in 'username', with: @site.username.upcase
fill_in 'password', with: pass
click_button 'Sign In'
page.must_have_content 'Your Feed'
end
it 'signs in with email' do
pass = SecureRandom.hex
@site = Fabricate :site, password: pass
@ -70,4 +81,15 @@ describe 'signin' do
click_button 'Sign In'
page.must_have_content 'Your Feed'
end
it 'signs in with invalid case email' do
pass = SecureRandom.hex
@site = Fabricate :site, password: pass
visit '/'
click_link 'Sign In'
fill_in 'username', with: @site.email.upcase
fill_in 'password', with: pass
click_button 'Sign In'
page.must_have_content 'Your Feed'
end
end

View file

@ -140,6 +140,20 @@ describe 'signup' do
page.must_have_content /email.+exists/
end
it 'fails with existing email even if case sensitive' do
email = Fabricate.attributes_for(:site)[:email]
fill_in_valid
fill_in 'email', with: email
click_signup_button
site_created?.must_equal true
Capybara.reset_sessions!
visit_signup
fill_in_valid
fill_in 'email', with: email.upcase
click_signup_button
page.must_have_content /email.+exists/
end
it 'succeeds with no tags' do
fill_in_valid
fill_in 'new_tags_string', with: ''