javascriptemail-validationunicode-string

Is it safe to convert emails with other characters than a-Z to lower case?


Any modern email service provider treats emails as case insensitive meaning that in my application I should allows users to log in both using johndoe@gmail.com and JohnDoe@Gmail.com.

In terms of the characters a-Z this is easy to implement as I can just always convert the input to lower case.

However, if a user's email contains other characters like the german ß which converts to SS in uppercase (which would convert back to ss in lowercase), or other international characters which may have special rules for how they convert between lower and upper case, then do I now run the risk of users not being able to log in if they type the email in a different "case" than the one they originally signed up with?

Would it be better to use toLocaleLowerCase() in my scenario then? Or should I only convert the a-Z characters and leave the others in the case they were provided in? Or what should I do in this scenario?

My current implementation is simply (pseudocode):

// when storing the email on my DB
db.user.save({ email: inputEmail.toLowerCase(), ... })

// when finding the user to authenticate
db.user.find("email", inputEmail.toLowerCase())

Solution

  • Any modern email service provider treats emails as case insensitive.

    Yes.

    Though if you used upper case for case insensitive match, Strauß@example.com and Strauss@example.com would match, but the mail server might consider them as different accounts.

    You'll never know what exactly arbitrary mail servers will consider as the same mailbox or not.

    … meaning that in my application I should allows users to log in both

    No. You only need to allow login under the same address as was used for signup. Store that in your database, not something else. It's also the address you will need to use when actually sending an email - do not change its case! To answer the title question, it is never safe to convert email address to a different case, regardless whether you do it only for the characters [a-z] or not.

    However, unrelated to the email address stored in the user profile, you may want to allow logins when the user enters a similar-enough email for convenience. Here, you can make up arbitrary rules, as long as "strauss" logs into the actual Strauß@example.com account. Of course that means you will have to also prevent users from creating accounts with similar email addresses, but you're safe as long as you follow the same (arbitrary) normalisation rules for uniqueness checking. Notice it's also a good idea to prevent homoglyph attacks, especially if the email address is displayed to the public or any other user.