Skip to content

Password reset fails silently when email address has different casing #244

Description

@JoostPennings-STRAK

Bug description

When setting a password via the account creation email link, the password reset form fails with a generic error if the email address is entered with different casing than was used when the account was created.

Steps to reproduce

  1. Create a new user account with an email address that has uppercase letters in the local part (before the @), e.g. User.Name@example.com
  2. Open the "Set Password" link from the account creation email
  3. Fill in the password form — enter the email address in all lowercase: user.name@example.com
  4. Submit the form

Expected behavior

The password is set successfully. Email addresses should be matched case-insensitively, as this is standard behavior across virtually all modern systems and avoids a confusing user experience.

Actual behavior

The API returns 400 Bad Request with "Password reset failed". There is no indication to the user that the email casing is the cause.

Notes

  • The local part of an email address (before @) is technically case-sensitive per RFC 5321, but in practice no mail server treats it as such. Erugo is the only point in the flow where casing matters, which makes this a surprising
    footgun.
  • A simple fix would be to normalize the email to lowercase before storing the password reset token and before looking it up in AuthController::resetPassword.
  • The same issue likely applies to the regular forgot-password flow.

Environment

  • Erugo version: 0.2.15
  • Deployment: Docker (self-hosted)

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions