Normalize email to lower case on creation and login (#745)

* 🔨 Normalize email to lower case on creation and login * ➕ Add test case for other case fxa email login
thunderbird · Nov 18, 2024 · 8dbf6ce · 8dbf6ce
1 parent 8094904
commit 8dbf6ce
Show file tree

Hide file tree

Showing 2 changed files with 17 additions and 2 deletions.
diff --git a/backend/src/appointment/routes/auth.py b/backend/src/appointment/routes/auth.py
@@ -49,7 +49,7 @@ def create_access_token(data: dict, expires_delta: timedelta | None = None):
 
 def create_subscriber(db, email, password, timezone):
     subscriber = repo.subscriber.create(db, schemas.SubscriberBase(
-        email=email,
+        email=email.lower(), # Make sure to store the email address in lower case
         username=email,
         name=email.split('@')[0],
         timezone=timezone
@@ -95,6 +95,9 @@ def fxa_login(
 
     fxa_client.setup()
 
+    # Normalize email address to lower case
+    email = email.lower()
+
     # Check if they're in the allowed list, but only if they didn't provide an invite code
     # This checks to see if they're already a user (bypasses allow list) or in the allow list.
     is_in_allow_list = fxa_client.is_in_allow_list(db, email)
@@ -371,4 +374,3 @@ def permission_check(subscriber: Subscriber = Depends(get_admin_subscriber)):
     if subscriber.is_deleted:
         raise validation.InvalidPermissionLevelException()
     return True  # Covered by get_admin_subscriber
-
diff --git a/backend/test/integration/test_auth.py b/backend/test/integration/test_auth.py
@@ -146,6 +146,19 @@ def test_fxa_login(self, with_client):
         assert 'url' in data
         assert data.get('url') == FXA_CLIENT_PATCH.get('authorization_url')
 
+    def test_fxa_login_with_uppercase_email(self, with_client):
+        os.environ['AUTH_SCHEME'] = 'fxa'
+        response = with_client.get(
+            '/fxa_login',
+            params={
+                'email': FXA_CLIENT_PATCH.get('subscriber_email').upper(),
+            },
+        )
+        assert response.status_code == 200, response.text
+        data = response.json()
+        assert 'url' in data
+        assert data.get('url') == FXA_CLIENT_PATCH.get('authorization_url')
+
     def test_fxa_with_allowlist_and_without_invite(self, with_client, with_l10n):
         os.environ['AUTH_SCHEME'] = 'fxa'
         os.environ['FXA_ALLOW_LIST'] = '@example.org'