TIL why User emails should always be lowercased before using them as a login qualifier

1 minute read Published:

In one project at work we implemented a passwordless login where you enter your email and then prove that you own this email-account by clicking on the link we sent you.

When I tried to log in with my (mistakenly uppercased) email-adress Erdii@werise.de I got an email, but this was not my account… It was empty.

Then it struck me. I used the entered email as a case-sensitive identifier to the account and obviously "Erdii@werise.de" !== "erdii@werise.de"

Moral of the story: always lowercase emails BEFORE comparing (or even writing) to the database, or the user has to remember the casing they used when creating their account in the first time