user email is not case-sensitive for login (fix #202)

feross · Oct 3, 2015 · 0004d42 · 0004d42
1 parent e4d76d9
commit 0004d42
Show file tree

Hide file tree

Showing 4 changed files with 32 additions and 26 deletions.
diff --git a/lib/auth.js b/lib/auth.js
@@ -63,22 +63,18 @@ exports.passportStrategy = new passportLocal.Strategy({
   passwordField: 'password'
 }, function (email, password, done) {
   model.User
-    .findOne({ email: email })
+    .findOne({ emailLowerCase: email && email.toLowerCase() })
     .exec(function (err, user) {
-      if (err) {
-        done(err)
-      } else if (user === null) {
-        done(null, false, { message: 'Username not found' })
-      } else {
-        user.comparePassword(password, function (err, isMatch) {
-          if (err) return done(err)
-
-          if (isMatch) {
-            done(null, user)
-          } else {
-            done(null, false, { message: 'Wrong password' })
-          }
-        })
+      if (err) return done(err)
+      if (user === null) {
+        return done(null, false, { message: 'Username not found' })
       }
+
+      user.comparePassword(password, function (err, isMatch) {
+        if (err) return done(err)
+
+        if (isMatch) done(null, user)
+        else done(null, false, { message: 'Wrong password' })
+      })
     })
 })
diff --git a/model/User.js b/model/User.js
@@ -18,7 +18,7 @@ var User = new mongoose.Schema({
       validate({
         validator: 'contains',
         arguments: ' ',
-        message: 'Please share your full name. Don\'t be shy! :)'
+        message: 'Please share your full name. Don\'t be shy :)'
       }),
       validate({
         validator: 'isLength',
@@ -37,6 +37,10 @@ var User = new mongoose.Schema({
       })
     ]
   },
+  emailLowerCase: {
+    type: String,
+    unique: true
+  },
   password: {
     type: String,
     validate: [
@@ -158,21 +162,24 @@ User.methods.totalHits = function (cb) {
 User.methods.gravatar = function (size, transparent) {
   size = size || 50
   var fallback = transparent ? 'blank' : 'mm'
-  var hash = md5(this.email.trim().toLowerCase())
+  var hash = md5(this.emailLowerCase)
   return '//www.gravatar.com/avatar/' + hash + '?size=' + size + '&default=' + fallback
 }
 
-// Store hashed version of user's password
 User.pre('save', function (next) {
   var self = this
-  if (!self.isModified('password')) return next()
-
-  // Hash the password and store it
-  bcrypt.hash(self.password, 10, function (err, hash) {
-    if (err) return next(err)
-    self.password = hash
+  if (self.isModified('email')) self.emailLowerCase = self.email.toLowerCase()
+
+  if (self.isModified('password')) {
+    // Store hashed version of user's password
+    bcrypt.hash(self.password, 10, function (err, hash) {
+      if (err) return next(err)
+      self.password = hash
+      next()
+    })
+  } else {
     next()
-  })
+  }
 })
 
 User.methods.comparePassword = function (password, cb) {

diff --git a/package.json b/package.json
@@ -95,6 +95,7 @@
     "nodemon": "^1.0.17",
     "pre-commit": "^1.0.10",
     "proxyquire": "^1.3.1",
+    "run-parallel-limit": "^1.0.2",
     "standard": "^5.0.2",
     "stylus": "^0.52.0",
     "tape": "^4.0.0",

diff --git a/routes/login.js b/routes/login.js
@@ -47,7 +47,9 @@ module.exports = function (app) {
     waterfall([
       util.randomBytes,
       function (token, cb) {
-        model.User.findOne({ email: req.body.email }, function (err, user) {
+        model.User.findOne({
+          emailLowerCase: req.body.email && req.body.email.toLowerCase()
+        }, function (err, user) {
           if (err || !user) {
             req.flash('error', 'No account with that email address exists.')
             return res.redirect('/login/forgot')