starred/documenso

Fork 0

mirror of https://github.com/documenso/documenso.git synced 2026-04-25 13:55:59 +03:00

[PR #2438] fix: normalize OIDC email to lowercase to prevent duplicate users #2306

New issue

Open

opened 2026-02-26 20:33:19 +03:00 by kerem · 0 comments

kerem commented

2026-02-26 20:33:19 +03:00

Owner

📋 Pull Request Information

Original PR: https://github.com/documenso/documenso/pull/2438
Author: @misha366
Created: 1/31/2026
Status: 🔄 Open

Base: main ← Head: fix/doc-2397-oidc-email-case-sensitivity

📝 Commits (1)

9655e4d fix: normalize OIDC email to lowercase to prevent duplicate users

📊 Changes

1 file changed (+1 additions, -1 deletions)

View changed files

📝 packages/auth/server/lib/utils/handle-oauth-callback-url.ts (+1 -1)

📄 Description

Description

The validateOauth() function in handle-oauth-callback-url.ts returns the email from OIDC JWT claims without normalizing it to lowercase. This causes duplicate user creation when the same person signs up via OIDC (with mixed-case email like Test@Example.COM) and then via email/password (with test@example.com)

#2397

Changes Made

Normalized email to lowercase in the return value of validateOauth() by calling .toLowerCase(), consistent with how all other auth flows handle emails (e.g. create-user.ts, email-password.ts)

Testing Performed

Most popular OIDC providers (e.g. keycloak, google) normalize emails to lowercase before returning them in tokens, which makes this bug hard to reproduce. To reproduce the issue, a custom mock OIDC server was written that returns a mixed-case email (Test@Example.COM) without normalization.
Video demonstrating the reproduction: https://go.screenpal.com/watch/cOVwbqn3aFE
Verified that after the fix, signing up via mock OIDC with Test@Example.COM and then via email/password with test@example.com correctly links to the same user instead of creating a duplicate.

Checklist

[+] I have tested these changes locally and they work as expected.
I have added/updated tests that prove the effectiveness of these changes.
I have updated the documentation to reflect these changes, if applicable.
[+] I have followed the project's coding style guidelines.
I have addressed the code review feedback from the previous submission, if applicable.

Additional Notes

The fix is a single-line change in validateOauth() which is shared by both the regular OAuth callback and the organisation OAuth callback (handle-oauth-organisation-callback-url.ts), so both flows are covered

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/documenso/documenso/pull/2438 **Author:** [@misha366](https://github.com/misha366) **Created:** 1/31/2026 **Status:** 🔄 Open **Base:** `main` ← **Head:** `fix/doc-2397-oidc-email-case-sensitivity` --- ### 📝 Commits (1) - [`9655e4d`](https://github.com/documenso/documenso/commit/9655e4d9bf73b1070c96322470644d3e2e95d623) fix: normalize OIDC email to lowercase to prevent duplicate users ### 📊 Changes **1 file changed** (+1 additions, -1 deletions) <details> <summary>View changed files</summary> 📝 `packages/auth/server/lib/utils/handle-oauth-callback-url.ts` (+1 -1) </details> ### 📄 Description ## Description The `validateOauth()` function in `handle-oauth-callback-url.ts` returns the email from OIDC JWT claims without normalizing it to lowercase. This causes duplicate user creation when the same person signs up via OIDC (with mixed-case email like Test@Example.COM) and then via email/password (with test@example.com) ## Related Issue #2397 ## Changes Made - Normalized email to lowercase in the return value of `validateOauth()` by calling `.toLowerCase()`, consistent with how all other auth flows handle emails (e.g. `create-user.ts`, `email-password.ts`) ## Testing Performed - Most popular OIDC providers (e.g. keycloak, google) normalize emails to lowercase before returning them in tokens, which makes this bug hard to reproduce. To reproduce the issue, a custom mock OIDC server was written that returns a mixed-case email (Test@Example.COM) without normalization. - Video demonstrating the reproduction: https://go.screenpal.com/watch/cOVwbqn3aFE - Verified that after the fix, signing up via mock OIDC with Test@Example.COM and then via email/password with test@example.com correctly links to the same user instead of creating a duplicate. ## Checklist - [+] I have tested these changes locally and they work as expected. - [ ] I have added/updated tests that prove the effectiveness of these changes. - [ ] I have updated the documentation to reflect these changes, if applicable. - [+] I have followed the project's coding style guidelines. - [ ] I have addressed the code review feedback from the previous submission, if applicable. ## Additional Notes The fix is a single-line change in `validateOauth()` which is shared by both the regular OAuth callback and the organisation OAuth callback (`handle-oauth-organisation-callback-url.ts`), so both flows are covered --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>

kerem added the

pull-request

label

2026-02-26 20:33:19 +03:00

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/documenso#2306

No description provided.

Rows
Columns