-
Notifications
You must be signed in to change notification settings - Fork 108
emails are incorrectly case sensitive in account create #455
Comments
Since email is used on the client as part of the key stretching it will be important for all clients to normalize the email before stretching so that user input isn't case dependent. The server might be able to verify whether the email was normalized, but normalization can't only be done on the server. Since that's the case I think we need to be very specific about how its done especially since we allow unicode characters. I know it gets complicated quickly. |
Ugh, this is gnarly. I can think of at least the following options: 1a. specify the unicode normalization procedure; 1 is hard. 2 weakens security. 3. might require server round-trips, might enable account lockouts, and might confuse users when they see different emails in different places. Gnarly. 1 might be right. Looking at what's easy to do on Android, I see http://docs.oracle.com/javase/7/docs/api/java/lang/String.html#toLowerCase%28%29 and http://docs.oracle.com/javase/7/docs/api/java/util/Locale.html; but http://docs.oracle.com/javase/tutorial/i18n/text/normalizerapi.html looks better. Looking for Javascript, I see http://norbertlindenberg.com/2013/10/javascript-internationalization/Internationalizing%20JavaScript%20Applications.pdf which points to https://github.com/walling/unorm. My uneducated vote is for using this standard normalization procedure and not normalizing email at all. Surely mozillians.org has the same issue; we should reach out to them. |
mozillians.org uses Persona. Perhaps we can do the same as Persona, and just document what it does. It might just call some Node.js normalizing function, though :( |
Ugh. If we really had to, we could have the server return a per-normalized-email salt before the client did any stretching, but it'd add a roundtrip, and would give a malicious server an extra attack (give the client a fixed salt for which they had a pre-computed dictionary, bypassing the benefits of a salt). /me hates normalization, we hates it, yess, yesss. If we do go for normalization, I'd vote against normalizing extension addresses away. Even just for testing, I use them all the time, and I expect them to map to different accounts. I suspect we've got plenty of "normal" users who expect the same. Can we get away without this? What about the following:
|
Chatting in the office just now, we came up with the following variant on my proposal:
The |
@warner just to clarify, when you say 'client' you mean Fx Desktop/Android/FxOS/Web will get error codes from auth server so that clients resolve the issue. If we ever have to message the user with alertnate case emails -- that that's a UX 💣 We have to be weary about phishing attacks also, where you might sign in as JoeUSER@domain.com and you get asked to enter you password from someone who owns JOEuser@domain.com finally, persona respects case upon input and always presents you with the email string as you entered it: so JoeUser@Domain.com should always display that way, but the client/front will lower() the string upon db insert. |
tracking in bugzilla: https://bugzilla.mozilla.org/show_bug.cgi?id=957681 |
Which is how this works as well. |
In the meeting today, we just decided that a "wrong-case login-attempt" (i.e. you submit an email address which doesn't exist verbatim in the database, but there is an account whose case-folded address matches the case-folded submitted address) should return a new error code, instead of being presented as "wrong password". The new error code should be something like "unknown account (but try this case instead)". @dannycoates will allocate the errno and update the server code+docs. |
i logged a bug for clients to handle incorrect case error: https://bugzilla.mozilla.org/show_bug.cgi?id=963835 |
@edmoz Thanks for the headsup. This bit confused me: "so JoeUser@Domain.com should always display that way, but the client/front will lower() the string upon db insert", specifically "client/front". The rest of this discussion makes it sound like:
Alternately:
which would be a significant change. Can you clarify? |
@SamPenrose: Android client handles 4xx/120 (alternate email provided) by retrying once with the new email and existing password. See https://bugzilla.mozilla.org/show_bug.cgi?id=963160. It is tricky to thread a possibly alternate email through to the right places, in particular I missed |
We're handling this client side. CLosing. |
fix(config): expose more environment variables for config
actual: user is created, you get UUID
expected: you should get
{"code":400,"error":"Bad Request","message":"Account already exists","info":"https://github.com/mozilla/fxa-auth-server/blob/master/docs/api.md#response-format","errno":101,"email":"ed@hotmail.com","log":[{"op":"Account.create","rid":"1387491430481-45014-59836"}
The text was updated successfully, but these errors were encountered: