Tools-based email authentication is case sensitive
81 views
Skip to first unread message
Joe Barnhart
Feb 19, 2009, 8:36:07 PM2/19/09
to web2py Web Framework
I dunno if this was intended, but the email address of the user is
case-sensitive when the logon is created. One of my users
inadvertently had an upper-case letter in his email address when he
registered. The verification link worked and told him he was
registered, but he could not log on. (He didn't know his email
address had an capital letter in it.)
Should the tools.py library smash the email addresses to lower case
before saving them? Or should the login routine do comparisons in a
case-insensitive manner?
case-sensitive when the logon is created. One of my users
inadvertently had an upper-case letter in his email address when he
registered. The verification link worked and told him he was
registered, but he could not log on. (He didn't know his email
address had an capital letter in it.)
Should the tools.py library smash the email addresses to lower case
before saving them? Or should the login routine do comparisons in a
case-insensitive manner?
mdipierro
Feb 19, 2009, 11:47:06 PM2/19/09
to web2py Web Framework
It is intended but can be changed.
You can do
db(auth.settigns.table_user.id>0).update
(email=auth.settings.table_user.email.lower())
to make all current emails lower case and
auth.settings.table_user.email.requires=[IS_LOWER(),IS_EMAIL
(),IS_NOT_IN_DB(db,auth.settings.table_user.email)]
to make sure all new ones are converted lower case upon validation.
You can do
db(auth.settigns.table_user.id>0).update
(email=auth.settings.table_user.email.lower())
to make all current emails lower case and
auth.settings.table_user.email.requires=[IS_LOWER(),IS_EMAIL
(),IS_NOT_IN_DB(db,auth.settings.table_user.email)]
to make sure all new ones are converted lower case upon validation.
Joe Barnhart
Feb 23, 2009, 4:37:00 PM2/23/09
to web2py Web Framework
Just an update here. I have implemented your solution on my testbed
but have not rolled it into the public version yet. In four days I
have had four users contact me because "the logon doesn't work". In
each case, they had a capital letter somewhere in their email
address.
For my fix, I think I would rather let people enter addresses in any
case but do the login comparison in a case-insenstitive manner. I did
not see UPPER() and LOWER() mentioned in the web2py manual as SQL
functions available on columns for queries. I'll look up the source
code and see if they're in there.
-- Joe B.
but have not rolled it into the public version yet. In four days I
have had four users contact me because "the logon doesn't work". In
each case, they had a capital letter somewhere in their email
address.
For my fix, I think I would rather let people enter addresses in any
case but do the login comparison in a case-insenstitive manner. I did
not see UPPER() and LOWER() mentioned in the web2py manual as SQL
functions available on columns for queries. I'll look up the source
code and see if they're in there.
-- Joe B.
mdipierro
Feb 23, 2009, 5:29:21 PM2/23/09
to web2py Web Framework
Did you convert current emails in lower case?
db(auth.settigns.table_user.id>0).update
(email=auth.settings.table_user.email.lower())
db.commit()
db(auth.settigns.table_user.id>0).update
(email=auth.settings.table_user.email.lower())
db.commit()
Joe Barnhart
Feb 23, 2009, 11:26:26 PM2/23/09
to web2py Web Framework
I verified the approach works on my test bed but I did not put it on
the public version yet. My concern is this: As soon as I convert
everyone's address in the auth_user table to lower case, they will
complain that it fails when they enter their email address in mixed
case, i.e. "it's broken again!"
I'll go ahead and implement this solution, but a better one would be
to save the address mixed case but compare it as lower case during
authentication.
the public version yet. My concern is this: As soon as I convert
everyone's address in the auth_user table to lower case, they will
complain that it fails when they enter their email address in mixed
case, i.e. "it's broken again!"
I'll go ahead and implement this solution, but a better one would be
to save the address mixed case but compare it as lower case during
authentication.
Reply all
Reply to author
Forward
0 new messages