Cannot log in using an email address containing a special character such as a single quote

[designsimply]

Steps to reproduce:

1. Have an email address that has not been used before to create an account on WordPress.com and that contains a special character such as a single quote.
2. Open the app and log out if you were already logged in.
3. Tap the "Log in or sign up with WordPress.com" button.
4. Enter the email address from step 1.
5. Complete the account creation including any email verification required.
6. Open the app and log out again.
7. Try to log in using the email address from step 1.

Results: Signup allows me to use a single quote special character in an email address when I create an account but then I cannot log in when I try to use that email in the login flow. (6m57s)

Note: The error in this case is a bit odd since it mentions a problem with email that I don't think is relevant and shows the signup screen in the background even though an account already exists at that point for the email being tested.

Error:

There was some trouble sending the email. You can retry now or close and try again later.

^{Tested signup using design5279+android'test101821@gmail.com using WPAndroid 18.3 Play Store version on Pixel 3 Android 11.}

App logs:

33 - [Oct-18 20:36 STATS] 🔵 Tracked: login_email_form_viewed
34 - [Oct-18 20:36 STATS] 🔵 Tracked: unified_login_step, Properties: {"source":"default","flow":"wordpress_com","step":"start"}
35 - [Oct-18 20:36 NUX] LoginEmailFragment: Google API client connected
36 - [Oct-18 20:36 STATS] 🔵 Tracked: unified_login_interaction, Properties: {"source":"default","flow":"wordpress_com","step":"start","click":"select_email_field"}
37 - [Oct-18 20:36 NUX] LoginEmailFragment: Autofill framework is enabled. Disabling hint picker dialog.
38 - [Oct-18 20:37 STATS] 🔵 Tracked: unified_login_interaction, Properties: {"source":"default","flow":"wordpress_com","step":"start","click":"submit"}
39 - [Oct-18 20:37 API] Dispatching action: AccountAction-FETCH_AUTH_OPTIONS
40 - [Oct-18 20:37 API] Volley error on https://public-api.wordpress.com/rest/v1.1/users/design5279+android'test101821@gmail.com/auth-options/?locale=en_GB - exception: null
41 - [Oct-18 20:37 API] StackTrace: com.android.volley.ClientError
	at com.android.volley.toolbox.BasicNetwork.performRequest(BasicNetwork.java:199)
	at com.android.volley.NetworkDispatcher.processRequest(NetworkDispatcher.java:131)
	at com.android.volley.NetworkDispatcher.processRequest(NetworkDispatcher.java:111)
	at com.android.volley.NetworkDispatcher.run(NetworkDispatcher.java:90)

42 - [Oct-18 20:37 API] Dispatching action: AccountAction-FETCHED_AUTH_OPTIONS
43 - [Oct-18 20:37 API] OnAuthOptionsFetched has error: UNKNOWN_USER - User does not exist.
44 - [Oct-18 20:37 API] Dispatching action: AuthenticationAction-SEND_AUTH_EMAIL
45 - [Oct-18 20:37 STATS] 🔵 Tracked: login_magic_link_open_email_client_viewed
46 - [Oct-18 20:37 STATS] 🔵 Tracked: unified_login_step, Properties: {"source":"default","flow":"signup","step":"magic_link_requested"}
47 - [Oct-18 20:37 API] Volley error on https://public-api.wordpress.com/rest/v1.1/auth/send-signup-email/?locale=en_GB - exception: null
48 - [Oct-18 20:37 API] StackTrace: com.android.volley.ClientError
	at com.android.volley.toolbox.BasicNetwork.performRequest(BasicNetwork.java:199)
	at com.android.volley.NetworkDispatcher.processRequest(NetworkDispatcher.java:131)
	at com.android.volley.NetworkDispatcher.processRequest(NetworkDispatcher.java:111)
	at com.android.volley.NetworkDispatcher.run(NetworkDispatcher.java:90)

49 - [Oct-18 20:37 API] Dispatching action: AuthenticationAction-SENT_AUTH_EMAIL
50 - [Oct-18 20:37 STATS] 🔵 Tracked: signup_magic_link_failed
51 - [Oct-18 20:37 API] OnAuthEmailSent error: USER_EXISTS - User with this email already has an account.
52 - [Oct-18 20:37 STATS] 🔵 Tracked: unified_login_failure, Properties: {"source":"default","flow":"signup","step":"magic_link_requested","failure":"There was some trouble sending the email. You can retry now or close and try again later."}
53 - [Oct-18 20:37 UTILS] App goes to background
54 - [Oct-18 20:37 STATS] 🔵 Tracked: application_closed, Properties: {"time_in_main_reader":2,"last_visible_screen":"Unknown","time_in_reader_paged_post":0,"time_in_app":113,"time_in_subfiltered_list":0,"time_in_reader_filtered_list":0}

Workaround: Log in to the affected WordPress.com account using a web browser, go to WP Admin > Profile > Get Apps and use the "Email me a log in link" to get a magic login link.

Notes: On the web, it's possible to log in by username instead of email address as an easy workaround. In the iOS app, login is completely blocked by this. In the Android app, there's actually a workaround which is to use the magic login link from the Get Apps page on the web so while it's still a problem for affected users it's not as urgent as it is for the iOS app.

^{(internal reference: p4a5px-2MC-p2 /hat tip @mdrockwell)}

[designsimply]

Note: this was fixed in WPiOS via wordpress-mobile/WordPress-iOS#17357 and wordpress-mobile/WordPressKit-iOS#457.

[mkevins]

I could not reproduce this (as of 71f7d9c). I tested using the steps described, and each time I tried, I was able to login using the email with a single quote. I also tried by setting a password on the account (which brought me to a password login after entering the email address). I also tried by using the magic link (from the password flow), and all three methods logged me in successfully.

I wonder if this was resolved somehow? The PR linked above is still in draft, so perhaps this was resolved inadvertently via some other changeset. I can try reproducing this on the version it was reported on to confirm that there isn't anything subtly different with the steps I'm using to encounter the issue.

[mkevins]

I tried a few more things, but still did not manage to reproduce this. I tried installing 18.3 on the Pixel 3a (physical device) that I used to test the scenarios in the comment above, but I got the same results. Then I tried installing 18.3 on a Pixel 3 (emulator) with Android 11, and that did not reproduce the issue either. Finally, I tried with a new email (also containing a single quote), creating a new account, and this time, adding a password on the screen that is presented immediately following account creation (a slightly different screen than the one presented when logging in a second time). Still, I did not encounter the issue.

Perhaps there is some back-end change that somehow resolved this? @thehenrybyrd were you able to reproduce this one? If it can no longer be reproduced, perhaps we can close it as resolved. Wdyt?

[RenanLukas]

I also wasn't able to reproduce it on the Android client (3574ae9), but I've received an error on web (with a different message) using an email address with single quote. The error message on web was:

We don't seem to have an account with that name. Double-check the spelling and try again!

If the issue is really different like the message makes me think, I agree with @mkevins that something might've changed on the back-end that fixed the special character issue on the clients.
However, if the issue I'm getting on web is the same and just has a different message, then I believe something has changed on Android client instead of the back-end, although I couldn't find any merged changes on WordPress-Android or WordPress-FluxC-Android that might've fixed it.

Emulator - Android 12 - WP Android 20.3-rc-1

cc @thehenrybyrd

[ovitrif]

Trunk Version
I couldn't reproduce this issue with the trunk version, for me both sign up and login worked multiple times and with different e-mail addresses.

Tested with the following e-mail addresses:

• ovitestin+asingle'test@gmail.com
• ovitestin+asingle'test1001@gmail.com

20.4 Version

• 🟡 I was able to reproduce it at sign-up on the version 20.4 from the Play Store. I saw the same error, but at sign-up time (step 4️⃣ → the account didn't exist in the system) with the e-mail address: ovitestin+adroid"test@gmail.com.
  • Further testing resulted in the same error every time a " (double quote) is used to sign up.
• 🟢 Tested also with ovitestin+and'roizz'12tst@gmail.com on the Play Store version and that didn't repro the issue.
• 🟢 I also tested with design5279+android'test101821@gmail.com (the e-mail from the screenshot) and that didn't end up showing this error for me:

  There was some trouble sending the email. You can retry now or close and try again later.

• 🔴 Next I tested with an e-mail address having a backtick character (`):

  ovitestin+an0therr`test@gmail.com
  

🔴 I encountered all sorts of issue after copying-pasting this email address in the input field:

Problem reported in the issue	Input error & continue button disabled

🔴 Then I also couldn't enter a simple e-mail address in the input anymore:

🟢 After going back and returning to this screen, pasting the e-mail address again it worked:

🟢 Afterwards I couldn't reproduce the issues with the same email address anymore 🤷‍♂️.

Further testing with email addresses containing a backtick also succeeded repeatedly.

[ovitrif]

My plan next is to try a fix similar to what has been done on iOS as informed here:
#15480 (comment)

[ovitrif]

My plan next is to try a fix similar to what has been done on iOS as informed here: #15480 (comment)

I'm not sure anymore that's a good fix though.

I created a new account with this email address on iOS: ovitestin+iozz'cool@gmail.com.

Everything is successful on iOS, but in the web browser I can't login with the same email address, I'm getting this error when clicking on the button from the login e-mail:

Although I could implement a similar fix on Android (there's even a bunch of draft PRs integrated in #15526), this might not be the ideal experience imho. Instead of having this inconsistency between web and the mobile app, I'd rather have the mobile apps not allow entering emails with a single quote.

@designsimply & @diegoreymendez (since you've fixed this on iOS), wdyt?

EDIT: Shamelessly adding @thehenrybyrd to the list of pinged folks 👀 for a second opinion.

⚠️ Technical Jargon - iOS solution analysis

Based on my understanding of the iOS fix from this PR on iOS we encode the single quote characters when calling the auth-options endpoint.

I've used this code to get an idea of what's going on in the iOS side:

import Foundation

let test = "ovitestin+iozz'cool@gmail.com"


var urlPathRFC3986Allowed: CharacterSet {
    CharacterSet.urlPathAllowed.subtracting(CharacterSet(charactersIn: "!'()*"))
}


extension String {
    var urlEncoded: String? {
        return addingPercentEncoding(withAllowedCharacters: urlPathRFC3986Allowed)
    }
}

let url = "http://www.example.com/?name=\(test.urlEncoded!)"

print(url)

here: http://online.swiftplayground.run/

And the output is:
http://www.example.com/?name=ovitestin+iozz%27cool@gmail.com

Notice the encoded 'appearing as %27. I checked the call via the browser when using www.wordpress.com to login and single quotes aren't getting encoded on the web.

[ovitrif]

I inspected the network traffic on the iOS app which confirms the single quote is URL-encoded there when calling the auth-options endpoint:

[mkevins]

Thank you for looking further into this Ovi!

🔴 Then I also couldn't enter a simple e-mail address in the input anymore:

This is indeed strange. I wonder if this means there is another issue hiding here as well 🤔 ?

Regarding the possible fixes:

I'd rather have the mobile apps not allow entering emails with a single quote.

I agree with this, generally: if we can avoid the issue altogether by warning the user at the earliest possible time (I guess account creation) not to use these characters, that might be the best. But, I'm not sure how to handle if users have already created an account like this. Since a few of us are not able to reproduce this, does this mean this is working fine for some users with special characters already, and if so, do these solutions prevent them from logging in?

[ovitrif]

Since a few of us are not able to reproduce this, does this mean this is working fine for some users with special characters already, and if so, do these solutions prevent them from logging in?

Thank you @mkevins for your feedback, I agree we can still have it work on mobile 🙇 , while on the web users can login with a password, which won't block them with the issue when clicking the magic link.

I proceeded to implement the same fix we have on iOS, hopefully this will mean both mobile platforms will allow all users to login with emails having single quotes 🙇 .

[mkevins]

Hey Ovi 👋 😄

I proceeded to implement the same fix we have on iOS, hopefully this will mean both mobile platforms will allow all users to login with emails having single quotes 🙇 .

I think your approach on that "refurbished" PR looks good, but I'm still wondering about the users that already use a special character. Would they still be able to login once the characters are URL encoded on the client? I can try to dig up an old account that I had used previously (when I attempted and was unable to reproduce the original issue as reported). I'll try to see if this URL encoding approach causes a regression in such a case, where that account can no longer use the magic link.

[ovitrif]

With the latest fix from PR #15526 both Android & iOS are compatible when logging in with an email having a ' 🎉

Both scenarios worked successfully:

• ovitestin+iozz'cool@gmail.com • account created on iOS → Login on iOS & Android
• ovitestin+android'zzz01@gmail.com • account created on Android → Login on Android & iOS

[ovitrif]

Still have to merge the WP-Android PR