fix: lowercase the email when requesting an email change (#1940)

* fix: lowercase the email when requesting an email change

* fix: typo in .toLowerCase

* fix: compare with lowercase email

Author: spaenleh

src/services/auth/plugins/passport/strategies/emailChange.ts

@@ -21,8 +21,16 @@ export default (
         jwtFromRequest: ExtractJwt.fromAuthHeaderAsBearerToken(),
         secretOrKey: EMAIL_CHANGE_JWT_SECRET,
       },
-      async ({ uuid, oldEmail, newEmail }, done: StrictVerifiedCallback) => {
+      async (
+        {
+          uuid,
+          oldEmail,
+          newEmail: newEmailRaw,
+        }: { uuid: string; oldEmail: string; newEmail: string },
+        done: StrictVerifiedCallback,
+      ) => {
         try {
+          const newEmail = newEmailRaw.toLowerCase();
           // We shouldn't fetch the member by email, so we keep track of the actual member.
           const member = await memberRepository.get(db, uuid);
           // We check the email, so we invalidate the token if the email has changed in the meantime.

src/services/member/member.controller.email.storage.test.ts

@@ -142,7 +142,7 @@ describe('Member Storage Controller', () => {
       expect(response.statusCode).toBe(StatusCodes.NO_CONTENT);
       await waitForExpect(() => {
         expect(mockSendEmail).toHaveBeenCalledTimes(1);
-        expect(mockSendEmail.mock.calls[0][1]).toBe(email);
+        expect(mockSendEmail.mock.calls[0][1]).toBe(email.toLowerCase());
         expect(mockSendEmail.mock.calls[0][2]).toContain('email/change?t=');
       });
 
@@ -263,6 +263,32 @@ describe('Member Storage Controller', () => {
       // mock send email only sent once, before
       expect(mockSendEmail).toHaveBeenCalledTimes(1);
     });
+    // regression test for issue #1939
+    it('Change email and store as lowercase', async () => {
+      const { actor } = await seedFromJson();
+      assertIsDefined(actor);
+      assertIsMember(actor);
+      mockAuthenticate(actor);
+
+      // specifically use an uppercase email
+      const newEmail = faker.internet.email().toUpperCase();
+      const token = jwtSign(
+        { uuid: actor.id, oldEmail: actor.email, newEmail },
+        EMAIL_CHANGE_JWT_SECRET,
+      );
+
+      const response = await app.inject({
+        method: HttpMethod.Patch,
+        url: '/members/current/email/change',
+        headers: { Authorization: `Bearer ${token}` },
+      });
+      expect(response.statusCode).toBe(StatusCodes.NO_CONTENT);
+      // Email changed
+      const rawMember = await db.query.accountsTable.findFirst({
+        where: eq(accountsTable.id, actor.id),
+      });
+      expect(rawMember?.email).toEqual(newEmail.toLowerCase());
+    });
   });
   describe('GET /members/current/storage/files', () => {
     it('returns ok', async () => {

src/services/member/member.controller.ts

@@ -141,11 +141,12 @@ const controller: FastifyPluginAsyncTypebox = async (fastify) => {
       preHandler: [isAuthenticated, matchOne(memberAccountRole)],
     },
     async ({ user, body: { email } }, reply) => {
+      const newEmail = email.toLowerCase();
       const account = asDefined(user?.account);
       assertIsMember(account);
 
       // check if there is a member that already has the new email
-      if (await memberService.getByEmail(db, email)) {
+      if (await memberService.getByEmail(db, newEmail)) {
         // Email adress is already taken, throw an error
         throw new EmailAlreadyTaken();
       }
@@ -154,8 +155,8 @@ const controller: FastifyPluginAsyncTypebox = async (fastify) => {
       const member = await memberService.get(db, account.id);
       assertIsDefined(member);
       const memberInfo = member.toMemberInfo();
-      const token = memberService.createEmailChangeRequest(memberInfo, email);
-      memberService.sendEmailChangeRequest(email, token, memberInfo.lang);
+      const token = memberService.createEmailChangeRequest(memberInfo, newEmail);
+      memberService.sendEmailChangeRequest(newEmail, token, memberInfo.lang);
 
       reply.status(StatusCodes.NO_CONTENT);
     },