Case Sensitive Usernames

[Arthur Pemberton]

Especially with the ability to set USERNAME_FIELD to "email", it would be really useful to at least have a well documented warning that usernames are case-sensitive in Django.

I've been using Django for years, and even I forget that fact some times. Until I start Googling and come across [1].

Ideally, it would be great to have a setting (or model field) that would allow easy switching to case insensitive usernames.

Arthur Pemberton

----

[1] https://code.djangoproject.com/ticket/2273

[אורי‎]

Hi Arthur,

I would recommend users of Django to use only lowercase usernames. And if they insist that the username is an email address, also convert it to lowercase. Otherwise you can have 3 separate users uri, Uri, and uRI, or 3 separate users with email addresses u...@example.com, U...@example.com, and u...@example.com (or even u...@Example.com). Maybe it's better to add an optional setting to enforce usernames to be lowercase. And by the way also alphanumeric. You don't want "!@#" to be a username on your system (or the user's name in Chinese or Hebrew).

It's interesting that this ticket is 15 years old and still not completely resolved.

By the way, when people type their email address, some programs (including browsers) convert the first letter to uppercase, and I have received email addresses from people with the first letter in uppercase, although their true address is lowercase. I don't think you want this uppercase letter to appear on your database in the email field.

אורי

(Uri)

u...@speedy.net

--
You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-develop...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/9a5e1df3-778d-4993-8c32-57870fafd8f9n%40googlegroups.com.

[Arthur Pemberton]

A setting to convert all usernames to lowercase would be good too -- that's my preference overall in general. However I haven't yet seen how best that could/would be accomplished.

For simpler uses case where I'm just sub-classing AbstractUser and not customizing the auth backend, I've taken to overriding UserManager.get_by_natural_key to allow for case-insensitive logins. Though really, I probably should add a signal handler to force username to lowercase.

Arthur

[Kye Russell]

Strong -1 on overriding user intent on capitalisation, especially for email addresses as the RFC stipulates that the local part of an email address is case sensitive, this is just rarely practiced. There are much better solutions out there (CI[Text|Char]FIeld in Postgres, etc) that enforce case-insensitivity purely for comparison operations which is where you really want it, but without overriding user intent wrt what case the user wants to use in their email or username.

Django could maybe do with easing the process of implementation for case-insensitive fields outside of Postgres. I’m not familiar enough with the other RDBMSs to know how workable that is. But the answer is certainly not discarding user intent. 

Kye

To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/c2bb1b2f-e1ac-4770-8989-ebb0fdc47a2cn%40googlegroups.com.

[Arthur Pemberton]

Purely anecdotal, but I've never had a user intentionally signup for an account with a case-sensitive email address. I'm not such which users expect their username or email addresses to be case-sensitive.

Arthur

[Ken Whitesell]

Also a strong -1. While it is rare, it is perfectly legitimate to have a mail server treat the name portion of an email address as being case sensitive.

Yes, you can find a lot of wrong answers on the internet stating otherwise, but paragraph 2.4 of RFC 5321 clearly states that the local-part of an address is case-sensitive.

(Note: I operate a case-sensitive email server, just as a demonstration of that standard.)

To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/c2bb1b2f-e1ac-4770-8989-ebb0fdc47a2cn%40googlegroups.com.

[Benny]

IMO this treads dangerously close to what I call a “Django Gotcha” - There exist some implementations, where if you’re not paying attention, it’ll come back to bite you in the keister. One example would be the test runner coercing DEBUG=False in an effort for tests to more accurately reflect a production environment.

Normalization is a nightmare all on its own without having to implicitly introduce it.

Benny

To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/2b02d741-e49d-486e-b92d-92d0e233b9e9%40Spark.

[Arthur Pemberton]

The current behaviour is an undocumented gotcha. It should at least be mentioned in the documentation. Very few major login based platforms are case sensitive, so it should be at least mentioned in the documentation that by default applications built with Django would be different in that regard.

Arthur

To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/874D59C4-0933-44A1-AF38-AAF6A0F554A8%40twosensedesign.com.

[Benny]

That’s a matter of perspective - RFC 5321 documents it pretty well. While I agree that, speculatively, the majority of servers may normalize emails to lower-case, it’s not officially recognized. I’m a fan of exhaustive documentation, but this is a standard set by an arguably higher authority.

Benny

To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/CA%2BX4dQTSxY%3DZNd0Tvo7ogYv-10ecXz4RuuFUXGcLV0-J7J7gEg%40mail.gmail.com.

[אורי‎]

Hi,

As far as I know, Google, which runs mail servers for about 85% of users worldwide (Gmail + Workspace users), email addresses and usernames are case insensitive. So if you send me for example an email to U...@SPEEDY.NET, I will receive it. Although according to the RFC it should have been bounced (actually I'm not sure, maybe it's up to the domain manager (speedy.net / gmail.com) to decide if to bounce it or not). This is a de-facto standard - I know companies that always send me mail to my email address in uppercase, and I think they do it to all of their customers. I don't think they have delivery problems with customers.

אורי

u...@speedy.net

To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/BCE93C94-A535-444F-BF76-1055FCF9B736%40twosensedesign.com.

[Kye Russell]

The RFC does not specifically disallow case-insensitive email addresses, no.

This all feels like a moot point. Messing with user data (read: not rejecting it) before it hits the database for ‘technical’ reasons is certainly swimming against the tide. You hardly ever see it these days. If you need case-insensitive comparison of email addresses (e.g. for an auth check), then just do a case-insensitive comparison. This is why things like CI[Text/Char/Email]Field exist. If we are appealing to authority, Gmail’s new account sign up form preserves user case. 

Kye

To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/CABD5YeH1NRx57KZ-Yc%2BEVVMODpgTN6ykRvy1nk08OFiekJQy%2Bg%40mail.gmail.com.