Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Lowercase input filter #4906

Draft
wants to merge 3 commits into
base: devel
Choose a base branch
from
Draft

Lowercase input filter #4906

wants to merge 3 commits into from

Conversation

krm-shrftdnv
Copy link

Fixes #4880

  • Created lowercase filter + annotation
  • Added new annotation to Profile#email, Profile#newEmail, CampCollaboration#inviteEmail, ResetPassword#email
  • Added unit tests and api tests
  • Changed email serch in oauth flow
  • Tested locally for registering new user and sending camp collaboration invite (same emails, different cases)

I did not implement migration to change existing data, because this is a rather crucial moment, and I have not yet fully figured out the scheme

@manuelmeister manuelmeister added the deploy! Creates a feature branch deployment for this PR label Apr 10, 2024
@github-actions GitHub Actions
Copy link

github-actions bot commented Apr 10, 2024
edited
Loading

Feature branch deployment currently inactive.

If the PR is still open, you can add the deploy! label to this PR to trigger a feature branch deployment.

carlobeltrame
carlobeltrame requested changes Apr 11, 2024
View reviewed changes
Copy link
Member

@carlobeltrame carlobeltrame left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looking great already, thanks a lot for contributing!

One part of one point of the spec isn't met yet, see comment.

Also, the data migration seems more and more of a requirement to me, the longer I think about it. To implement a data migration, you could just copy pone of the migrations in api/migrations/schema and write SQL code inside which looks something like UPDATE xy SET email=LOWER(email). No need for a down implementation in the migration in this case.

api/src/Security/OAuth/GoogleAuthenticator.php
Comment on lines +60 to +61
$profiles = $profileRepository->findBy(['email' => strtolower($email)]);
$profile = count($profiles) > 0 ? $profiles[0] : null;
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As long as we don't do the data migration, this will break the login for people who log in via OAuth and have capital letters in their email address on the external identity provider.

We should probably do the data migration, and also make sure that the email address which we get from the OAuth providers (here and here) is lower cased.

Another idea I had to go without data migration would be to compare here in the authenticators using SQL WHERE LOWER("email") = ?. But that might introduce be a security issue, and would break our undocumented feature which allows users to have both a normal login and an OAuth login to the same account.

@manuelmeister manuelmeister removed the deploy! Creates a feature branch deployment for this PR label Apr 12, 2024
@manuelmeister
Copy link
Member

Hey @krm-shrftdnv
Thank you very much for your PR. We discussed this again and noticed that emails are not always case insensitive. We need more time to figure this out, how we correctly solve this.
Unfortunately we need to ask you to pause work on this PR.

@manuelmeister manuelmeister marked this pull request as draft April 12, 2024 21:44
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@carlobeltrame carlobeltrame carlobeltrame requested changes

Requested changes must be addressed to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Force email addresses to be lower case
3 participants
@krm-shrftdnv @manuelmeister @carlobeltrame