Ensure email is lowercase and check availability on user creation#5442
Ensure email is lowercase and check availability on user creation#5442ChinoKou wants to merge 3 commits into
Conversation
Code ReviewThanks for this PR — closing the gap between A couple of issues worth addressing before merging: 1. Missing null/undefined guard (medium)data.email = data.email.toLowerCase().trim();If if (typeof data.email !== "undefined") {
data.email = data.email.toLowerCase().trim();Even if upstream schema validation currently guarantees 2. Uniqueness check runs before access control (low)The new block is inserted before 3. Explicit
|
Thanks for the great feedback! I've pushed the updates to fix the ordering, add the null guard, and clean up the method call. Also, spot on about the validation. The frontend already checks this, but I completely agree the backend check is necessary. It adds a solid layer of defense-in-depth for direct API calls. |
There was a problem hiding this comment.
Pull request overview
This PR improves user creation in the backend by normalizing emails (trim + lowercase) and checking whether the email is already in use before inserting a new user.
Changes:
- Normalize
data.emailduring user creation (toLowerCase().trim()). - Add a pre-insert uniqueness check via
internalUser.isEmailAvailable()and throw aValidationErrorif taken.
Comments suppressed due to low confidence (1)
backend/internal/user.js:44
isEmailAvailable()compares withwhere("email", "=", normalizedEmail), which can be case-sensitive depending on the DB/collation. If any existing rows contain mixed/upper-case emails from before this normalization, this check may miss them and allow duplicates. Consider using a case-insensitive comparison (e.g.,LOWER(email) = ?) or migrating existing user emails to the normalized form before relying on this check.
data.email = data.email.toLowerCase().trim();
const emailAvailable = await internalUser.isEmailAvailable(data.email);
if (!emailAvailable) {
throw new errs.ValidationError(`Email address already in use - ${data.email}`);
}
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| data.email = data.email.toLowerCase().trim(); | ||
| const emailAvailable = await internalUser.isEmailAvailable(data.email); | ||
| if (!emailAvailable) { | ||
| throw new errs.ValidationError(`Email address already in use - ${data.email}`); | ||
| } |
| if (typeof data.email !== "undefined" && data.email !== null) { | ||
| data.email = data.email.toLowerCase().trim(); | ||
| const emailAvailable = await internalUser.isEmailAvailable(data.email); | ||
| if (!emailAvailable) { | ||
| throw new errs.ValidationError(`Email address already in use - ${data.email}`); | ||
| } | ||
| } |
| if (typeof data.email !== "undefined" && data.email !== null) { | ||
| data.email = data.email.toLowerCase().trim(); | ||
| const emailAvailable = await internalUser.isEmailAvailable(data.email); | ||
| if (!emailAvailable) { | ||
| throw new errs.ValidationError(`Email address already in use - ${data.email}`); | ||
| } | ||
| } |
|
Docker Image for build 2 is available on DockerHub: Note Ensure you backup your NPM instance before testing this image! Especially if there are database changes. Warning Changes and additions to DNS Providers require verification by at least 2 members of the community! |
This pull request adds email normalization and uniqueness validation to the user creation logic in
backend/internal/user.js. Now, emails are converted to lowercase and trimmed, and the system checks if the email is already in use before proceeding.User validation improvements: