From d370a4db10931c9b16f6a78c870c3c0f44ab9058 Mon Sep 17 00:00:00 2001
From: lebaudantoine <lebaud.antoine131@gmail.com>
Date: Mon, 4 Nov 2024 14:01:09 +0100
Subject: [PATCH] =?UTF-8?q?=F0=9F=90=9B(backend)=20harden=20email=20matchi?=
 =?UTF-8?q?ng=20against=20ambiguous=20cases?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Handle case-sensitivity and whitespace in email lookups. Detect and block
multiple matching accounts as security precaution.
---
 src/backend/core/authentication/backends.py | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/src/backend/core/authentication/backends.py b/src/backend/core/authentication/backends.py
index 9e2ada71..7ce8799c 100644
--- a/src/backend/core/authentication/backends.py
+++ b/src/backend/core/authentication/backends.py
@@ -96,7 +96,11 @@ class OIDCAuthenticationBackend(MozillaOIDCAuthenticationBackend):
         except User.DoesNotExist:
             if email and settings.OIDC_FALLBACK_TO_EMAIL_FOR_IDENTIFICATION:
                 try:
-                    return User.objects.get(email=email)
+                    return User.objects.get(email__iexact=email)
                 except User.DoesNotExist:
                     pass
+                except User.MultipleObjectsReturned as e:
+                    raise SuspiciousOperation(
+                        _("Multiple user accounts share a common email.")
+                    ) from e
         return None