fix: lowercase emails (#714)

supabase · Sep 30, 2022 · d65ba60 · d65ba60
1 parent e553477
commit d65ba60
Show file tree

Hide file tree

Showing 9 changed files with 25 additions and 14 deletions.
diff --git a/api/admin.go b/api/admin.go
@@ -234,7 +234,8 @@ func (a *API) adminUserCreate(w http.ResponseWriter, r *http.Request) error {
 	}
 
 	if params.Email != "" {
-		if err := a.validateEmail(ctx, params.Email); err != nil {
+		params.Email, err = a.validateEmail(ctx, params.Email)
+		if err != nil {
 			return err
 		}
 		if exists, err := models.IsDuplicatedEmail(db, params.Email, aud); err != nil {

diff --git a/api/invite.go b/api/invite.go
@@ -31,7 +31,8 @@ func (a *API) Invite(w http.ResponseWriter, r *http.Request) error {
 		return badRequestError("Could not read Invite params: %v", err)
 	}
 
-	if err := a.validateEmail(ctx, params.Email); err != nil {
+	params.Email, err = a.validateEmail(ctx, params.Email)
+	if err != nil {
 		return err
 	}
 

diff --git a/api/magic_link.go b/api/magic_link.go
@@ -43,7 +43,8 @@ func (a *API) MagicLink(w http.ResponseWriter, r *http.Request) error {
 	if params.Email == "" {
 		return unprocessableEntityError("Password recovery requires an email")
 	}
-	if err := a.validateEmail(ctx, params.Email); err != nil {
+	params.Email, err = a.validateEmail(ctx, params.Email)
+	if err != nil {
 		return err
 	}
 

diff --git a/api/mail.go b/api/mail.go
@@ -6,6 +6,7 @@ import (
 	"encoding/json"
 	"fmt"
 	"net/http"
+	"strings"
 	"time"
 
 	"github.com/netlify/gotrue/conf"
@@ -57,7 +58,8 @@ func (a *API) GenerateLink(w http.ResponseWriter, r *http.Request) error {
 		return badRequestError("Could not parse JSON: %v", err)
 	}
 
-	if err := a.validateEmail(ctx, params.Email); err != nil {
+	params.Email, err = a.validateEmail(ctx, params.Email)
+	if err != nil {
 		return err
 	}
 
@@ -158,7 +160,8 @@ func (a *API) GenerateLink(w http.ResponseWriter, r *http.Request) error {
 			if !config.Mailer.SecureEmailChangeEnabled && params.Type == "email_change_current" {
 				return unprocessableEntityError("Enable secure email change to generate link for current email")
 			}
-			if terr := a.validateEmail(ctx, params.NewEmail); terr != nil {
+			params.NewEmail, terr = a.validateEmail(ctx, params.NewEmail)
+			if terr != nil {
 				return unprocessableEntityError("The new email address provided is invalid")
 			}
 			if exists, terr := models.IsDuplicatedEmail(tx, params.NewEmail, user.Aud); terr != nil {
@@ -350,13 +353,13 @@ func (a *API) sendEmailChange(tx *storage.Connection, config *conf.GlobalConfigu
 	), "Database error updating user for email change")
 }
 
-func (a *API) validateEmail(ctx context.Context, email string) error {
+func (a *API) validateEmail(ctx context.Context, email string) (string, error) {
 	if email == "" {
-		return unprocessableEntityError("An email address is required")
+		return "", unprocessableEntityError("An email address is required")
 	}
 	mailer := a.Mailer(ctx)
 	if err := mailer.ValidateEmail(email); err != nil {
-		return unprocessableEntityError("Unable to validate email address: " + err.Error())
+		return "", unprocessableEntityError("Unable to validate email address: " + err.Error())
 	}
-	return nil
+	return strings.ToLower(email), nil
 }
diff --git a/api/otp.go b/api/otp.go
@@ -171,7 +171,8 @@ func (a *API) shouldCreateUser(r *http.Request, params *OtpParams) (bool, error)
 		aud := a.requestAud(ctx, r)
 		var err error
 		if params.Email != "" {
-			if err := a.validateEmail(ctx, params.Email); err != nil {
+			params.Email, err = a.validateEmail(ctx, params.Email)
+			if err != nil {
 				return false, err
 			}
 			_, err = models.FindUserByEmailAndAudience(db, params.Email, aud)

diff --git a/api/recover.go b/api/recover.go
@@ -37,7 +37,8 @@ func (a *API) Recover(w http.ResponseWriter, r *http.Request) error {
 	var user *models.User
 	aud := a.requestAud(ctx, r)
 
-	if err := a.validateEmail(ctx, params.Email); err != nil {
+	params.Email, err = a.validateEmail(ctx, params.Email)
+	if err != nil {
 		return err
 	}
 	user, err = models.FindUserByEmailAndAudience(db, params.Email, aud)

diff --git a/api/signup.go b/api/signup.go
@@ -73,7 +73,8 @@ func (a *API) Signup(w http.ResponseWriter, r *http.Request) error {
 		if !config.External.Email.Enabled {
 			return badRequestError("Email signups are disabled")
 		}
-		if err := a.validateEmail(ctx, params.Email); err != nil {
+		params.Email, err = a.validateEmail(ctx, params.Email)
+		if err != nil {
 			return err
 		}
 		user, err = models.FindUserByEmailAndAudience(db, params.Email, params.Aud)

diff --git a/api/user.go b/api/user.go
@@ -98,7 +98,8 @@ func (a *API) UserUpdate(w http.ResponseWriter, r *http.Request) error {
 		}
 
 		if params.Email != "" && params.Email != user.GetEmail() {
-			if terr = a.validateEmail(ctx, params.Email); terr != nil {
+			params.Email, terr = a.validateEmail(ctx, params.Email)
+			if terr != nil {
 				return terr
 			}
 

diff --git a/api/verify.go b/api/verify.go
@@ -475,7 +475,8 @@ func (a *API) verifyUserAndToken(ctx context.Context, conn *storage.Connection,
 			return nil, badRequestError("Invalid sms verification type")
 		}
 	} else if isEmailOtpVerification(params) {
-		if err := a.validateEmail(ctx, params.Email); err != nil {
+		params.Email, err = a.validateEmail(ctx, params.Email)
+		if err != nil {
 			return nil, unprocessableEntityError("Invalid email format").WithInternalError(err)
 		}
 		tokenHash = fmt.Sprintf("%x", sha256.Sum224([]byte(string(params.Email)+params.Token)))