adapt_authoring icon indicating copy to clipboard operation
adapt_authoring copied to clipboard
verified publisher icon adaptlearning

Login email address should be case-insensitive

Open brennanyoung opened this issue 7 years ago • 7 comments

Expected Behaviour

Email address is expected as user name for login. Email addresses are not case-sensitive (by definition), so users will expect case insensitivity here.

To reduce burden for admins, there are various possibilities:

  • If users must use email address as username, this special case sensitivity should be made clear
  • Compare usernames without case sensitivity (less secure)
  • Use something other than email address as username

Steps to Reproduce

  1. Create an account with mixed case email as user name.
  2. log out, then log in using the same email with different case
  3. Can't login because username is case sensitive.

Versions

  • Authoring Tool Version: *

brennanyoung avatar Aug 31 '18 10:08 brennanyoung

I agree that most systems don't differentiate, but this is not guaranteed to be the case. There could be two perfectly valid and different emails [email protected] and [email protected].

According to RC 5321 2.3.11:

The standard mailbox naming convention is defined to be "local-part@domain"; contemporary usage permits a much broader set of applications than simple "user names". Consequently, and due to a long history of problems when intermediate hosts have attempted to optimize transport by modifying them, the local-part MUST be interpreted and assigned semantics only by the host specified in the domain part of the address.

and 2.4:

The local-part of a mailbox MUST BE treated as case sensitive. Therefore, SMTP implementations MUST take care to preserve the case of mailbox local-parts. In particular, for some hosts, the use "smith" is different from the user "Smith". However, exploiting the case sensitivity of mailbox local-parts impedes interoperability and is discouraged.

In the interests of correctness, we would allow both, but as you've said this may cause unnecessary user error in practicality. Another question is whether we should be validating domain case.

taylortom avatar Aug 31 '18 10:08 taylortom

Schooled! Thanks for that correction. Always learning.

I'd be completely satisfied if the case sensitivity is mentioned clarified in/near/around the form.

Perhaps this is most important when people create their account?

brennanyoung avatar Sep 12 '18 09:09 brennanyoung

😄

I'm happy to go with the consensus on this one tbh. There are probably more practical reasons to with case-insensitivity over the standard. It may be worth us seeing if we can find any examples of case-sensitive servers, that might give us our answer.

Agreed that if we go with case-sensitivity, we should warn users about it.

taylortom avatar Sep 12 '18 09:09 taylortom

See #1634

lc-thomasberger avatar Dec 19 '18 09:12 lc-thomasberger

This is an issue which causes lots of headaches for us. I would be strongly in favour of a migration to convert all emails to lower case and updating the create user code to ensure emails are always saved in lower case. I am happy to work on this as a solution if there are no objections?

canstudios-nicolaw avatar Jan 31 '19 16:01 canstudios-nicolaw

Agreed @canstudios-nicolaw. This causes us a lot of issues as well.

dancgray avatar Feb 19 '19 16:02 dancgray

How about a server-level config option, defaulted to ignoring case when validating email addresses?

moloko avatar Sep 27 '19 11:09 moloko