Skip to content

fix(hub): case-insensitive email login (#1887)#1946

Open
BootstrapperSBL wants to merge 1 commit intohenrygd:mainfrom
BootstrapperSBL:fix/case-insensitive-email-login
Open

fix(hub): case-insensitive email login (#1887)#1946
BootstrapperSBL wants to merge 1 commit intohenrygd:mainfrom
BootstrapperSBL:fix/case-insensitive-email-login

Conversation

@BootstrapperSBL
Copy link
Copy Markdown
Contributor

@BootstrapperSBL BootstrapperSBL commented Apr 23, 2026

Description

Fixes #1887. Users who register with a mixed-case email (e.g. Foo@bar.com) could not log in as foo@bar.com because PocketBase's password auth performs an exact-match lookup on the email field.

Before

POST /api/collections/_superusers/auth-with-password
{"identity":"foo@bar.com","password":"..."}

400 Bad Request: Failed to authenticate. (invalid login credentials)

After

Same request succeeds regardless of the case used at login.

Approach

Two small hooks in the users package:

  1. NormalizeEmail is bound to OnRecordCreate for both users and _superusers. It lowercases the email before save so stored values are canonical going forward. The existing PocketBase unique email index then naturally rejects case-variant duplicates.
  2. ResolveAuthIdentity is bound to OnRecordAuthWithPasswordRequest. When PocketBase's exact-match lookup does not find a record, it falls back to [[email]] = {:email} COLLATE NOCASE. This covers accounts created on versions without the normalize hook.

No DB schema change, no migration, nothing to break on existing installs. The fix is scoped to the auth path and stays within PocketBase's hook API.

Changelog

Fixed

Changed

  • New user/superuser records are saved with the email lowercased, preventing future case-variant duplicates.

Tests

internal/hub/case_insensitive_email_test.go adds two test functions:

  • TestEmailIsNormalizedOnCreate — verifies that freshly created users/superusers have their email persisted lowercase, and that a case-variant second registration is rejected by the unique index.
  • TestCaseInsensitiveEmailLogin — simulates a legacy account whose email was stored mixed-case before this fix, then exercises the /auth-with-password endpoint for users and _superusers with lowercase, uppercase and original-case identities. Also covers the negative paths (wrong password, unknown email).

All hub package tests pass. The pre-existing agent and internal/alerts test flakes on upstream/main are unchanged by this PR.

fix(hub): case-insensitive email login (henrygd#1887)
e48d3f0 
Users who register with a mixed-case email (e.g. "Foo@bar.com") could
not log in with a different casing because PocketBase's password auth
performs an exact-match lookup on the email field.

Normalize the email to lowercase on user/superuser create so stored
values are canonical going forward, and fall back to a case-insensitive
lookup in the OnRecordAuthWithPasswordRequest hook so accounts created
before this fix can still authenticate regardless of the case used.

Fixes henrygd#1887
@BootstrapperSBL BootstrapperSBL mentioned this pull request Apr 23, 2026
Closed
@BootstrapperSBL
Copy link
Copy Markdown
Contributor Author

BootstrapperSBL commented Apr 23, 2026

Heads up: I just noticed @svenvg93 opened #1889 back on April 4 for the same issue. Missed it when I went scouting — sorry for the duplicate. The approach there is simpler (lowercase-on-write) and @henrygd raised the concern about legacy mixed-case accounts that this PR's COLLATE NOCASE fallback is meant to cover. Happy to close this one if you'd rather iterate on #1889.

@BootstrapperSBL BootstrapperSBL mentioned this pull request Apr 24, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@henrygd henrygd Awaiting requested review from henrygd henrygd is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[Bug]: Login E-Mail is case Sensitive

1 participant

@BootstrapperSBL