[BUG]: Authentication workflow stores raw email values but performs normalized email lookups

[VarshithReddy2006]

Summary

The authentication workflow handles email normalization inconsistently.

The signup flow normalizes email addresses when checking for existing users, but stores the original unnormalized email value in the database. Later authentication flows perform lookups using normalized email values.

This creates a mismatch between write and read operations for email-based authentication.

---

Location

File: apps/public-api/src/controllers/userAuth.controller.js

Functions:

• signup
• login
• buildAuthUserPayload

---

Relevant Code

Signup performs normalized lookup

const normalizedEmail = email.toLowerCase().trim();

const existingUser = await Model.findOne({
  email: normalizedEmail
});

Signup stores raw email

const newUserPayload = buildAuthUserPayload(
  usersColConfig,
  { email, password, username, ...otherData },
  hashedPassword,
  false
);

const payload = {
  email,
  password: hashedPassword,
  ...otherData,
  createdAt: new Date()
};

Login performs normalized lookup

const normalizedEmail = email.toLowerCase().trim();

const user = await Model.findOne({
  email: normalizedEmail
}).select('+password');

Validation schema does not normalize emails

email: z
  .string()
  .min(1)
  .email()
  .max(100)

---

Root Cause

The application normalizes email addresses for lookup operations but stores the original email value during user creation.

As a result:

• Write path uses raw email values.
• Read path uses normalized email values.

---

Steps to Reproduce

1. Register a user with:

{
  "email": "Test.User@example.com",
  "password": "password123"
}

2. The user record is created using the original email value.

3. Attempt login using the same credentials.

4. The login flow normalizes the email and queries using:

email: "test.user@example.com"

---

Expected Behavior

Email addresses should be normalized consistently before both database writes and database reads.

---

Actual Behavior

The authentication workflow stores raw email values while performing normalized email lookups.

---

Impact

• Users registering with mixed-case email addresses may encounter authentication issues.
• Email-based workflows can behave inconsistently.
• Email uniqueness enforcement becomes dependent on database behavior rather than application logic.

---

Suggested Fix

Normalize email values before creating user payloads and ensure all email-based authentication flows use the same canonical representation.

[VarshithReddy2006]

Hi @yash-pouranik ,

I investigated the authentication workflow and identified an inconsistency in how email addresses are handled across signup and login flows.

The signup flow normalizes emails when checking for existing users but stores the original email value in the database, while login and other authentication-related flows perform lookups using normalized email values. I have included the affected code paths, root cause analysis, reproduction steps, and impact details in the issue report.

If the issue is considered valid, I would be happy to work on implementing a fix and submit a PR.

Thank you for your time and review.

[yash-pouranik]

yh thats a valid issue
u can wrk on this

[yash-pouranik]

@VarshithReddy2006

[VarshithReddy2006]

Hi @yash-pouranik,

I've completed the fix for Issue #321 and verified the affected authentication flows.

Changes made

• Normalised email storage during user signup.
• Normalised email storage for social-auth-created users.
• Normalised social-auth email lookups during account linking.
• Normalised admin-created user email handling (duplicate checks and storage).

Scope

The fix is intentionally limited to the email normalisation issue and does not modify OTP, email verification, password reset, or other authentication flows.

I'll be opening a PR shortly for review.

Thank you.