studio/meet
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

🩹(backend) use case-insensitive email matching in the external api

Browse Source 
Fix a minor issue in the external API where users were matched using
case-sensitive email comparison, while authentication treats emails as
case-insensitive. This caused inconsistencies that are now resolved.

Spotted by T. Lemeur from Centrale.
This commit is contained in:
lebaudantoine
2026-01-20 20:13:57 +01:00
committed by aleb_the_flash
parent 250e599465
commit 99a18b6e90
3 changed files with 9 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
CHANGELOG.md
View File

@@ -22,6 +22,7 @@ and this project adheres to
- ♿(frontend) improve contrast for selected options #863 - ♿(frontend) improve contrast for selected options #863
- ♿️(frontend) announce copy state in invite dialog #877 - ♿️(frontend) announce copy state in invite dialog #877
- 📝(frontend) align close dialog label in rooms locale #878 - 📝(frontend) align close dialog label in rooms locale #878
- 🩹(backend) use case-insensitive email matching in the external api #887
## [1.3.0] - 2026-01-13 ## [1.3.0] - 2026-01-13

8
src/backend/core/external_api/viewsets.py
View File

@@ -5,7 +5,7 @@ from logging import getLogger
from django.conf import settings from django.conf import settings
from django.contrib.auth.hashers import check_password from django.contrib.auth.hashers import check_password
from django.core.exceptions import ValidationError from django.core.exceptions import SuspiciousOperation, ValidationError
from django.core.validators import validate_email from django.core.validators import validate_email
import jwt import jwt
@@ -93,7 +93,7 @@ class ApplicationViewSet(viewsets.GenericViewSet):
) )
try: try:
user = models.User.objects.get(email=email) user = models.User.objects.get(email__iexact=email)
except models.User.DoesNotExist as e: except models.User.DoesNotExist as e:
if ( if (
settings.APPLICATION_ALLOW_USER_CREATION settings.APPLICATION_ALLOW_USER_CREATION
@@ -123,6 +123,10 @@ class ApplicationViewSet(viewsets.GenericViewSet):
) )
else: else:
raise drf_exceptions.NotFound("User not found.") from e raise drf_exceptions.NotFound("User not found.") from e
except models.User.MultipleObjectsReturned as e:
raise SuspiciousOperation(
"Multiple user accounts share a common email."
) from e
now = datetime.now(timezone.utc) now = datetime.now(timezone.utc)
scope = " ".join(application.scopes or []) scope = " ".join(application.scopes or [])

4
src/backend/core/tests/test_external_api_token.py
View File

@@ -22,7 +22,7 @@ pytestmark = pytest.mark.django_db
def test_api_applications_generate_token_success(settings): def test_api_applications_generate_token_success(settings):
"""Valid credentials should return a JWT token.""" """Valid credentials should return a JWT token."""
settings.APPLICATION_JWT_SECRET_KEY = "devKey" settings.APPLICATION_JWT_SECRET_KEY = "devKey"
user = UserFactory(email="user@example.com") UserFactory(email="User.Family@example.com")
application = ApplicationFactory( application = ApplicationFactory(
active=True, active=True,
scopes=[ApplicationScope.ROOMS_LIST, ApplicationScope.ROOMS_CREATE], scopes=[ApplicationScope.ROOMS_LIST, ApplicationScope.ROOMS_CREATE],
@@ -40,7 +40,7 @@ def test_api_applications_generate_token_success(settings):
"client_id": application.client_id, "client_id": application.client_id,
"client_secret": plain_secret, "client_secret": plain_secret,
"grant_type": "client_credentials", "grant_type": "client_credentials",
"scope": user.email, "scope": "user.family@example.com",
}, },
format="json", format="json",
) )