Email address with leading/trailing whitespace treated as different identifier

[meyfa]

Preflight checklist

• I could not find a solution in the existing issues, docs, nor discussions.
• I agree to follow this project's Code of Conduct.
• I have read and am following this repository's Contribution Guidelines.
• This issue affects my Ory Cloud project.
• I have joined the Ory Community Slack.
• I am signed up to the Ory Security Patch Newsletter.

Describe the bug

Suppose an account exists for "[email protected]", then it is not possible to log in using "[email protected] " (same string but with trailing whitespace, which often happens on mobile phones with auto-completion) or " [email protected]" (leading whitespace). In both cases, the error message reads "The provided credentials are invalid, check for spelling mistakes in your password or username, email address, or phone number.". I think whitespace around the identifier should be ignored.

Even worse, entirely new accounts can be registered for all of the following:

" [email protected]"
"  [email protected]"
"   [email protected]"

etc.

Interestingly, trying to register an account for "[email protected] " (trailing space instead of leading) will fail, as it should. The error message there reads "\"[email protected] \" is not valid \"email\"".

Reproducing the bug

Create an account for "[email protected]" and verify that logging into it works, then log out again.

At this point the following things will fail, although they should succeed:

• Logging in with "[email protected] "
• Logging in with " [email protected]"

The following will work, although it should fail:

• Creating an account for " [email protected]"

The following will correctly fail:

• Creating an account for "[email protected] "

(Note that the quotation marks are not part of user input. I had to add them to deal with Markdown formatting issues.)

Relevant log output

No response

Relevant configuration

{
  "$id": "https://schemas.ory.sh/presets/kratos/quickstart/email-password/identity.schema.json",
  "$schema": "http://json-schema.org/draft-07/schema#",
  "title": "Person",
  "type": "object",
  "properties": {
    "traits": {
      "type": "object",
      "properties": {
        "email": {
          "type": "string",
          "format": "email",
          "title": "E-Mail",
          "minLength": 3,
          "ory.sh/kratos": {
            "credentials": {
              "password": {
                "identifier": true
              }
            },
            "verification": {
              "via": "email"
            }
          }
        },
        "name": {
          "type": "string",
          "title": "Full name"
        }
      },
      "required": [
        "email",
        "name"
      ],
      "additionalProperties": false
    }
  }
}

Version

v0.8.0-alpha.3

On which operating system are you observing this issue?

Linux

In which environment are you deploying?

Kubernetes with Helm

Additional Context

No response

[aeneasr]

Nice find, we should probably add some type of sanitation (I think there's another similar issue tracked here already). A simple strings.TrimSpaces would be enough for email addresses. Question is if this should also be the case for non-emails?

[meyfa]

There is #814, which dealt with capitalization (but that was already fixed). Personally, I think that whitespace should be ignored for regular usernames, too, i.e. the sanitation behavior for whitespace and capitalization should be the same.

[zepatrik]

I can confirm that especially apple mobile devices add whitespace after word completion, which is not obvious to users. Experienced that once myself, took me quite some time to figure it out. That issue will also be true for usernames.

[meyfa]

I just noticed a mistaken assumption in my initial comment:

Interestingly, trying to register an account for "[email protected] " (trailing space instead of leading) will fail, as it should. The error message there reads "\"[email protected] \" is not valid \"email\"".

While I think it is correct to fail in the described scenario (where "[email protected]" already exists) it is NOT correct to fail due to an invalid format. Word completion will also exist for registration forms and users should be able to register by entering "[email protected] ". This might be an entirely different issue more to do with JSON schema validation though...