Email Search Casing Should Not Matter

Hello,

I don’t know if this is a bug or a feature request, but I think I found an inconsistency with users’ emails. Some endpoints do not behavior as others in how they treat mixed case email addresses.

Automatically Lowercasing Email Address

  • Whenever a user is created using the management API POST /users endpoint, the email address provided is always converted to lowercase.
    • example: POST with BOB@example.com and user will be saved in Auth0 as bob@example.com
  • Whenever attempting a login using the authentication API Resource Owner flow from a trusted API, the passed in email will always be lowercased as well.
    • example: user attempts login with BOB@example.com, Auth0 will attempt to log the user in with bob@example.com and whatever password they provided.
  • Fetching a list of users via management API /users using mixed cased email addresses, the emails will be looked up by using lowercase.
    • example: /api/v2/users?q=email:BOB@example.com will lookup and return bob@example.com

Not Automatically Lowercasing Email Address

  • When looking up a single user by their email using management API /users-by-email?email=… does not lowercase the email before searching.
    • example: /api/v2/users-by-email?email=BOB@example.com will not return bob@example.com (assuming that user exists in the database).

This bit us in production a few nights ago. It was an easy fix on our end (just lowercase the email before issuing the request). But it just seems like it should be case-insensitive like all the other user related endpoints.

Also to be fair: the documentation for the /users-by-email endpoint does state it is case-sensitive making it my fault for not reading it thoroughly before we found out in production. Also kinda means this is a feature request and not a bug report :upside_down_face:

Hi @davidhouseknechtdev

I am doing some checking on this. I’ll let you know.

John

Hi @davidhouseknechtdev,

Thank you for posting this feedback. We were able to find an issue in the backlog about this. The /users-by-email is case sensitive because the local part of the email address is preserved as case sensitive for notification purposes (for example, email resets). However, other endpoints such as the /users endpoint are not case sensitive because of an OWASP recommendation that email/username uniqueness should be enforced in a non-case sensitive way to avoid a security issue.

I agree that this is tricky to catch, and I’ve passed on your post to the appropriate team.