Email Search Casing Should Not Matter

Hello,

I don’t know if this is a bug or a feature request, but I think I found an inconsistency with users’ emails. Some endpoints do not behavior as others in how they treat mixed case email addresses.

Automatically Lowercasing Email Address

  • Whenever a user is created using the management API POST /users endpoint, the email address provided is always converted to lowercase.
    • example: POST with BOB@example.com and user will be saved in Auth0 as bob@example.com
  • Whenever attempting a login using the authentication API Resource Owner flow from a trusted API, the passed in email will always be lowercased as well.
    • example: user attempts login with BOB@example.com, Auth0 will attempt to log the user in with bob@example.com and whatever password they provided.
  • Fetching a list of users via management API /users using mixed cased email addresses, the emails will be looked up by using lowercase.
    • example: /api/v2/users?q=email:BOB@example.com will lookup and return bob@example.com

Not Automatically Lowercasing Email Address

  • When looking up a single user by their email using management API /users-by-email?email=… does not lowercase the email before searching.
    • example: /api/v2/users-by-email?email=BOB@example.com will not return bob@example.com (assuming that user exists in the database).

This bit us in production a few nights ago. It was an easy fix on our end (just lowercase the email before issuing the request). But it just seems like it should be case-insensitive like all the other user related endpoints.

Also to be fair: the documentation for the /users-by-email endpoint does state it is case-sensitive making it my fault for not reading it thoroughly before we found out in production. Also kinda means this is a feature request and not a bug report :upside_down_face:

2 Likes

Hi @davidhouseknechtdev

I am doing some checking on this. I’ll let you know.

John

Hi @davidhouseknechtdev,

Thank you for posting this feedback. We were able to find an issue in the backlog about this. The /users-by-email is case sensitive because the local part of the email address is preserved as case sensitive for notification purposes (for example, email resets). However, other endpoints such as the /users endpoint are not case sensitive because of an OWASP recommendation that email/username uniqueness should be enforced in a non-case sensitive way to avoid a security issue.

I agree that this is tricky to catch, and I’ve passed on your post to the appropriate team.

@john.gateley @stephanie.chamblee
We were hit by this “glitch” of Auth0 APIs in production too. Is there any ETA for the release of the case-insensitive feature?

Another vote for making getUsersByEmail case-insensitive. The Auth0 docs state that other methods of searching for email that are case insensitive are not immediately consistent and should not be used as part of login rules.

Our system depends on being able to look up users by email in both of these situations in a case insensitive way.

1 Like

Another vote for case-insensitive ‘search user by email’. This just hit us as well and (although documented) was not very obvious.

1 Like

I’ve opened a feature request for this, please upvote it: Add case-insensitive option for user by email search - Auth0 Community

cc @davidhouseknechtdev @remcoros @simone.chiorazzo @ben_adm

3 Likes