PostgreSQL: Login using MFA Does Not Respect the Uppercase of the Email Address

Description

Summary

Login using MFA does not respect the uppercase of the email address.

Environment

  • Mattermost Server 5.23.0

  • PostgreSQL 10.12

  • Google Authenticator MFA

Steps to Reproduce

  • Create an account with uppercase email address. For example - `ahmadDANIAL@mattermost.com`

  • Once done, log in with the email address above and configure MFA. In my case, I used Google Authenticator

  • Log in with the google authenticator and enter the code

Expected Result

Actual Result

  • The Enter a valid email or username and/or password error is displayed on the UI.

  • The entries that I am getting in the mattermost.log when the issue was reproduced:

  • The email address that is stored in the Users table was converted to all small case characters.

  • No issues when logging in with the lowercase email address.

Notes

  • This issue was originally discussed in the Ask R&D channel.

  • Based on 's feedback on this issue:

    It is common practice to compare emails in lowercase so users don't have to worry how they wrote it the first time (emails are case insensitive). If using capital letters anywhere in the email (whether it is during registration or when authenticating) prevents authentication, it is a bug.

QA Test Steps

Verify on a postgres server that LDAP + MFA works with mixed-case login and still works with all lowercase login. Check LDAP login without MFA and also email login with mixed- and lowercase as well, to verify no regression there.

Do further regression tests, including on a mysql server.

Mana

None

Assignee

Alejandro García

QA Assignee

Linda Mitchell

Reporter

Ahmad Danial Mohammad

Epic Link

None

Fix versions

Mattermost Team

Sustained Engineering

Sprint

None

Labels

QA Testing Areas

MFA

GitHub Issue

None

Components

None

Severity

None
Configure