Handling of upper and lower case of e-mail addresses

[dklimpel]

Due to the handling of upper and lower case of e-mail addresses, you can register the same e-mail address several times.
I will create a PR.

Description

Steps to reproduce

• register mail address to an account
• register the same address to an other account (different case typing)

Version information

• Homeserver: Own

If not matrix.org:

• Version: 1.11.0

• Install method: Debian Package

• Platform: Azure VM

[richvdh]

It's not necessarily a valid assumption that [email protected] and [email protected] are the same email address...

[bpcurse]

It's not necessarily a valid assumption that [email protected] and [email protected] are the same email address...

Although it seems all major email providers have decided to ignore case in localpart.
For practical reasons this is probably the right decision and it seems to be kind of an inofficial standard nowadays.

[richvdh]

A question I'd like to understand the answer to is this: beyond "they could be registered to different accounts", what problems are actually caused by having [email protected] and [email protected] treated as different addresses? And why is that worse than having richardv @ matrix.org and richvdh @ matrix.org registered to different accounts?

[bpcurse]

Due to before mentioned aspects, I'd hypothesise that the vast majority of users would not expect case sensitivity. Unintentionally entered [email protected] on registration could lead to issues when trying to login using [email protected]

[richvdh]

Unintentionally entered [email protected] on registration

I feel like a better way to solve this problem is a "did you mean [email protected]?" prompt.

[dklimpel]

what problems are actually caused by having [email protected] and [email protected] treated as different addresses?

You need your address for a password reset. Which account will be reseted? Both accounts? The first one in database?

https://github.com/matrix-org/synapse/blob/master/synapse/handlers/auth.py#L842-L850

        # 'Canonicalise' email addresses down to lower case.
        # We've now moving towards the homeserver being the entity that
        # is responsible for validating threepids used for resetting passwords
        # on accounts, so in future Synapse will gain knowledge of specific
        # types (mediums) of threepid. For now, we still use the existing
        # infrastructure, but this is the start of synapse gaining knowledge
        # of specific types of threepid (and fixes the fact that checking
        # for the presence of an email address during password reset was
        # case sensitive).

In a few functions it is realized, but not in all.

[clokep]

I believe that doing some sort of normalization in this situation is standard in web frameworks -- Django does something like this (and recently had a CVE due to it). (Looking at their code they do also send a password reset to all matching users -- being careful to use the emails from the database, not the user submitted email.)

[dklimpel]

In addition, it is requested by specs:

The homeserver must check that the given email address is not already associated with an account on this homeserver.

https://matrix.org/docs/spec/client_server/latest#post-matrix-client-r0-account-3pid-email-requesttoken

[babolivier]

I feel like this is the same discussion as matrix-org/matrix-spec-proposals#2265 (or at least should happen there since it's more of a spec thing than just a Synapse implementation detail)