Skip to content

[Security] Stop recommending to lowercase email addresses #21080

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
ThomasLandauer opened this issue Jun 13, 2025 · 2 comments
Open

[Security] Stop recommending to lowercase email addresses #21080

ThomasLandauer opened this issue Jun 13, 2025 · 2 comments
Labels
Security

Comments

@ThomasLandauer
Copy link
Contributor

I'm questioning the entire section at https://symfony.com/doc/current/security/custom_authenticator.html#user-identifier, starting with:

It's a good practice to normalize the user identifier before using it.

@Spomky and @javiereguiluz you were the last ones who edited it.

Right now, this sounds like a recommendation to lowercase all email addresses. But this is no good advice IMO, since email addresses are case-sensitive, see https://stackoverflow.com/a/9808332/1668200

Besides, I cannot see the point of bringing up the gmail example. This creates the impression that even removing dots is the way to go ("If Google does it, then probably everybody else is doing it..."). However, we're in the context of using email addresses as usernames, and here gmail is just one provider, among millions of others.
So, frankly, I don't care what gmail is doing. And they might even change it tomorrow...

So I'm suggesting to reduce all this to just a short note - something like:

You can pass a custom normalizer (e.g. to lowercase the username).

Since everybody needs to decide for themselves what's best in their use case.

I didn't come up with a PR right away, since (more or less) deleting everything you just added, might look a bit harsh ;-)
@Spomky
Copy link
Contributor

Spomky commented Jun 13, 2025

Hi @ThomasLandauer,

Thanks a lot for your feedback.

Indeed, the section you referenced is meant to address user identifiers in general, not email addresses specifically.
The recommendation to normalize is about ensuring consistent comparisons during authentication, in particuar because identifiers come from user input.
You're also right about the Gmail example it should be removed to avoid confusion and unintended assumptions.
The [email protected] examples could be removed too for the same reason.

@wouterj
Copy link
Member

wouterj commented Jun 13, 2025

I agree, we can probably simplify the section, only leaving something like this:

It's a good practice to normalize the user identifier before using it. This ensures that variations like "john.doe", "John.Doe", or "JOHN.DOE" are treated as the same user. In Symfony applications, you can optionally pass a user identifier normalizer as the third argument to the UserBadge. This callable receives the $userIdentifier and must return a normalized string.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Security
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@wouterj @ThomasLandauer @Spomky @carsonbot