So basically I would like the email/password provider to be more flexible.
I don’t want to write a Custom Authentication System where I’d have to hash the passwords myself etc.
I want to add 2 things:
-
on register: if another user is already existing with the same email address BUT different casing (e.g. Example@example.com exists and new user tries to register with example@example.com) then the registration should be blocked
-
on login: if the user enters his email address in another casing but with the correct password he/she should still get logged in to his/her account
What would be the best way to accomplish this?
I would probably lowercase the email before calling the login or signup function. This is would avoid the problem of case sensitivity as emails are always considered case insensitive.
@Mohit_Sharma thanks for answering!
The problem is there are actually some email services that give out the same emails but with different casing. So it could possibly be very dangerous to just lowercase any email address. Imagine Example@example.com (“Example”) registers, but the registration email gets sent to example@example.com (“example”) because we lowercased it client-side. But those email addresses might be operated by completely different persons. Example can then click “verify” in the email he got. example just misses the fact that he didn’t click on the verify button, just tries to login anyhow and it works. example now uses the app for some time. At any point Example can trigger a password reset, gets the password reset link sent to his mail and can then without a problem steal the account which example maybe even paid for services etc.