In one project at work we implemented a passwordless login where you enter your email and then prove that you own this email-account by clicking on the link we sent you.
When I tried to log in with my (mistakenly uppercased) email-adress [email protected] I got an email, but this was not my account… It was empty.
Then it struck me. I used the entered email as a case-sensitive identifier to the account and obviously
"[email protected]" !== "[email protected]"
Moral of the story: always lowercase emails BEFORE comparing (or even writing) to the database, or the user has to remember the casing they used when creating their account in the first time