fix(hub): case-insensitive email login

[svenvg93]

📃 Description

Normalize email addresses to lowercase during login and registration to prevent case-sensitive authentication failures. Users who registered with mixed-case emails (e.g., User@Example.com) could not log in using the lowercase variant (user@example.com).

🪵 Changelog

🔧 Fixed

• Email login is no longer case-sensitive — addresses are normalized to lowercase on both the frontend (login/register form) and backend (user creation endpoint)

[raudhra]

What about a user whose mail is user@gmail.com, when you are saving the mail of another user whose mail is User@gmail.com as user@gmail.com

[svenvg93]

What about a user whose mail is user@gmail.com, when you are saving the mail of another user whose mail is User@gmail.com as user@gmail.com

By normalizing to lowercase at registration time, two users trying to register user@gmail.com and User@gmail.com will both resolve to user@gmail.com, so the second registration will be rejected as a duplicate. That's exactly the correct behavior.

[raudhra]

What about a user whose mail is user@gmail.com, when you are saving the mail of another user whose mail is User@gmail.com as user@gmail.com

By normalizing to lowercase at registration time, two users trying to register user@gmail.com and User@gmail.com will both resolve to user@gmail.com, so the second registration will be rejected as a duplicate. That's exactly the correct behavior.

Thank you for explaining senior. Really appreciate the help.

[henrygd]

Thanks, however I'm worried that converting to lowercase in JS will prevent login if a user's email is already saved with non-lowercase characters.

We would probably need to add a migration that converts all existing emails to lowercase. But this may break oauth logins if the email has non-lowercase on the provider's side.

I found this comment from the PocketBase author that suggests using a collation. Maybe we can add this in a migration.

I'll follow up when I have time to write a few basic tests.

[BootstrapperSBL]

Hey @svenvg93 — sorry, I filed #1946 before spotting your PR. Turns out mine takes exactly the COLLATE NOCASE fallback approach @henrygd linked from the PocketBase discussion, so it might be worth looking at for the legacy-mixed-case-accounts concern henrygd raised here. Happy to close #1946 in favour of this one if you want to fold the NOCASE-fallback idea in, or defer to whatever @henrygd prefers.