fix: normalize email domain case in validateEmailDomain

[sahillllllllll-bit]

Fixes #40045

Email domain validation currently treats domains as case-sensitive, which leads to valid email addresses being incorrectly rejected when their casing differs from the configured allowed or blocked domain lists.

For example, an email like test@GMAIL.com is rejected when gmail.com is present in the allowed domains list.

Domain names are case-insensitive by standard, so this behavior is incorrect and results in inconsistent validation.

This PR normalizes both the extracted email domain and the configured domain lists to lowercase before performing comparisons, ensuring consistent and standards-compliant validation.

Summary by CodeRabbit

• Bug Fixes
  • Email domain validation now trims and lowercases domains (both lists and incoming addresses) for consistent whitelist/blacklist checks and DNS resolution, preventing case-related mismatches.

[dionisio-bot]

Looks like this PR is not ready to merge, because of the following issues:

• This PR is missing the 'stat: QA assured' label
• This PR is missing the required milestone or project

Please fix the issues and try again

If you have any trouble, please check the PR guidelines

[changeset-bot]

⚠️ No Changeset found

Latest commit: 8bec5d4

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: b82cad07-522d-42c5-b606-3de7fe1ce3a5

📥 Commits

Reviewing files that changed from the base of the PR and between 2f34fe2 and 8bec5d4.

📒 Files selected for processing (1)

• apps/meteor/app/lib/server/lib/validateEmailDomain.js

✅ Files skipped from review due to trivial changes (1)

• apps/meteor/app/lib/server/lib/validateEmailDomain.js

📜 Recent review details

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: cubic · AI code reviewer

---

Walkthrough

Email domain validation now normalizes domains to lowercase: blocked/allowed lists are trimmed and lowercased when stored, and extracted email domains are lowercased before whitelist/blacklist checks and before MX DNS resolution.

Changes

Cohort / File(s)	Summary
Email Domain Validation apps/meteor/app/lib/server/lib/validateEmailDomain.js	Normalize blocked/allowed list entries by trimming and lowercasing; lowercase extracted email domain before whitelist/blacklist membership checks and before dns.resolveMx to ensure case-insensitive comparisons.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately and concisely summarizes the main change: normalizing email domain case sensitivity in the validateEmailDomain function.
Linked Issues check	✅ Passed	The code changes directly address issue #40045 by normalizing domains to lowercase before comparisons, making email domain validation case-insensitive as required.
Out of Scope Changes check	✅ Passed	All changes are scoped to the validateEmailDomain.js file and directly address the case-sensitivity bug; no unrelated modifications detected.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@apps/meteor/app/lib/server/lib/validateEmailDomain.js`:
- Around line 46-48: The comparison is still case-sensitive because emailDomain
is lowercased but emailDomainWhiteList entries are only trimmed; update the
logic in validateEmailDomain (or wherever emailDomainWhiteList is constructed)
to normalize allowlist entries to lower-case (and trim) before use, e.g.
map/emailDomainWhiteList = emailDomainWhiteList.map(e => e.trim().toLowerCase())
or perform a case-insensitive comparison when checking emailDomain against
emailDomainWhiteList so values like "GMAIL.com" match "gmail.com".

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 7e9c6b22-7633-48bd-8f10-dc039bac8cda

📥 Commits

Reviewing files that changed from the base of the PR and between 8ebf44b and 2f34fe2.

📒 Files selected for processing (1)

• apps/meteor/app/lib/server/lib/validateEmailDomain.js

📜 Review details

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: cubic · AI code reviewer

🧰 Additional context used

📓 Path-based instructions (1)

**/*.{ts,tsx,js}

📄 CodeRabbit inference engine (.cursor/rules/playwright.mdc)

**/*.{ts,tsx,js}: Write concise, technical TypeScript/JavaScript with accurate typing in Playwright tests
Avoid code comments in the implementation

Files:

• apps/meteor/app/lib/server/lib/validateEmailDomain.js

🧠 Learnings (1)

📓 Common learnings

Learnt from: smirk-dev
Repo: RocketChat/Rocket.Chat PR: 39625
File: apps/meteor/app/api/server/v1/push.ts:85-97
Timestamp: 2026-03-14T14:58:58.834Z
Learning: In RocketChat/Rocket.Chat, the `push.token` POST/DELETE endpoints in `apps/meteor/app/api/server/v1/push.ts` were already migrated to the chained router API pattern on `develop` prior to PR `#39625`. `cleanTokenResult` (which strips `authToken` and returns `PushTokenResult`) and `isPushTokenPOSTProps`/`isPushTokenDELETEProps` validators already exist on `develop`. PR `#39625` only migrates `push.get` and `push.info` to the chained pattern. Do not flag `cleanTokenResult` or `PushTokenResult` as newly introduced behavior-breaking changes when reviewing this PR.

🔇 Additional comments (1)

apps/meteor/app/lib/server/lib/validateEmailDomain.js (1)

21-24: Blocked-domain normalization looks correct.

Lowercasing blocked domains at ingestion aligns with the lowercased emailDomain comparison path and fixes case-mismatch rejects for blacklist checks.

[cubic-dev-ai]

No issues found across 1 file