Bug description
When setting a password via the account creation email link, the password reset form fails with a generic error if the email address is entered with different casing than was used when the account was created.
Steps to reproduce
- Create a new user account with an email address that has uppercase letters in the local part (before the
@), e.g. User.Name@example.com
- Open the "Set Password" link from the account creation email
- Fill in the password form — enter the email address in all lowercase:
user.name@example.com
- Submit the form
Expected behavior
The password is set successfully. Email addresses should be matched case-insensitively, as this is standard behavior across virtually all modern systems and avoids a confusing user experience.
Actual behavior
The API returns 400 Bad Request with "Password reset failed". There is no indication to the user that the email casing is the cause.
Notes
- The local part of an email address (before
@) is technically case-sensitive per RFC 5321, but in practice no mail server treats it as such. Erugo is the only point in the flow where casing matters, which makes this a surprising
footgun.
- A simple fix would be to normalize the email to lowercase before storing the password reset token and before looking it up in
AuthController::resetPassword.
- The same issue likely applies to the regular forgot-password flow.
Environment
- Erugo version: 0.2.15
- Deployment: Docker (self-hosted)
Bug description
When setting a password via the account creation email link, the password reset form fails with a generic error if the email address is entered with different casing than was used when the account was created.
Steps to reproduce
@), e.g.User.Name@example.comuser.name@example.comExpected behavior
The password is set successfully. Email addresses should be matched case-insensitively, as this is standard behavior across virtually all modern systems and avoids a confusing user experience.
Actual behavior
The API returns
400 Bad Requestwith"Password reset failed". There is no indication to the user that the email casing is the cause.Notes
@) is technically case-sensitive per RFC 5321, but in practice no mail server treats it as such. Erugo is the only point in the flow where casing matters, which makes this a surprisingfootgun.
AuthController::resetPassword.Environment