stack icon indicating copy to clipboard operation
stack copied to clipboard
verified publisher icon stack-auth

Email treated case-sensitively across providers => leads to duplicate accounts

Open melistik opened this issue 6 months ago • 1 comments

Hi there,

First of all, thanks for building stack-auth – I really appreciate its simplicity and well-designed components!

I’ve recently encountered a problem where email addresses are treated in a case-sensitive manner. That means [email protected] and [email protected] are considered two separate accounts, even though they refer to the same logical user.

While this might not happen frequently in general, it did occur in our setup where Microsoft OAuth was enabled at a later stage:

  • Initially, users were created using email + password, and their email addresses were stored in lowercase.
  • Later on, Microsoft OAuth was added.
  • For some users (not all), the email coming from the OAuth provider had capitalized initials (e.g., [email protected]), while others stayed lowercase.
  • As a result, these users ended up with duplicate accounts under different casings.

I'm wondering:

  • Why might Microsoft OAuth return different email casing for different users or does simple forward the entered email-address of the user (without lowerCase convert - treated it internally case insensitive)?
  • Should email addresses be normalized (e.g., to lowercase) internally to avoid this kind of issue?
  • Is there currently a way to link additional auth providers (e.g., OAuth) to an existing user account created via email/password?

I hope my issue description is clear, and I’d love to hear your thoughts or any recommendations on how to handle this properly.

Thanks a lot!

melistik avatar Jun 25 '25 21:06 melistik

Thanks for reporting! This is actually being worked on currently. Take a look at #720

If you have questions, let us know!

madster456 avatar Jun 27 '25 18:06 madster456