save new user based on lowercase email (#7629)

ahmadhamzh · web-flow · commit 9a3d771af9ca · 2025-10-06T12:42:49.000+02:00
diff --git a/modules/api/pkg/handler/test/helper.go b/modules/api/pkg/handler/test/helper.go
@@ -877,7 +877,7 @@ func CompareWithResult(t *testing.T, res *httptest.ResponseRecorder, response st
 func GenUser(id, name, email string) *kubermaticv1.User {
 	if len(id) == 0 {
 		// the name of the object is derived from the email address and encoded as sha256
-		id = fmt.Sprintf("%x", sha256.Sum256([]byte(email)))
+		id = fmt.Sprintf("%x", sha256.Sum256([]byte(strings.ToLower(email))))
 	}
 
 	h := sha512.New512_224()
@@ -893,7 +893,7 @@ func GenUser(id, name, email string) *kubermaticv1.User {
 		},
 		Spec: kubermaticv1.UserSpec{
 			Name:  name,
-			Email: email,
+			Email: strings.ToLower(email),
 		},
 		Status: kubermaticv1.UserStatus{
 			LastSeen: metav1.NewTime(UserLastSeen),
diff --git a/modules/api/pkg/provider/kubernetes/user.go b/modules/api/pkg/provider/kubernetes/user.go
@@ -85,18 +85,18 @@ func (p *UserProvider) UserByEmail(ctx context.Context, email string) (*kubermat
 // CreateUser creates a new user. If no user is found at all the created user is elected as the first admin.
 //
 // Note that:
-// The name of the newly created resource will be unique and it is derived from the user's email address (sha256(email)
+// The name of the newly created resource will be unique and it is derived from the user's email address (sha256(email))
 // This prevents creating multiple resources for the same user with the same email address.
 //
-// In the beginning I was considering to hex-encode the email address as it will produce a unique output because the email address in unique.
+// In the beginning I was considering to hex-encode the email address as it will produce a unique output because the email address is unique.
 // The only issue I have found with this approach is that the length can get quite long quite fast.
 // Thus decided to use sha256 as it produces fixed output and the hash collisions are very, very, very, very rare.
 
 func (p *UserProvider) CreateUser(ctx context.Context, name, email string, groups []string) (*kubermaticv1.User, error) {
 	if len(name) == 0 || len(email) == 0 {
 		return nil, apierrors.NewBadRequest("Email, ID and Name cannot be empty when creating a new user resource")
 	}
-
+	email = strings.ToLower(email)
 	if kubermaticv1helper.IsProjectServiceAccount(email) {
 		return nil, apierrors.NewBadRequest(fmt.Sprintf("cannot add a user with the given email %s as the name is reserved, please try a different email address", email))
 	}
@@ -132,7 +132,7 @@ func (p *UserProvider) CreateUser(ctx context.Context, name, email string, group
 func (p *UserProvider) UpdateUser(ctx context.Context, user *kubermaticv1.User) (*kubermaticv1.User, error) {
 	// make sure the first patch doesn't override the status
 	status := user.Status.DeepCopy()
-
+	user.Spec.Email = strings.ToLower(user.Spec.Email)
 	if err := p.runtimeClient.Update(ctx, user); err != nil {
 		return nil, err
 	}
diff --git a/modules/api/pkg/provider/kubernetes/util_test.go b/modules/api/pkg/provider/kubernetes/util_test.go
@@ -22,6 +22,7 @@ import (
 	"fmt"
 	"io"
 	"sort"
+	"strings"
 	"time"
 
 	"github.com/go-jose/go-jose/v4/jwt"
@@ -98,7 +99,7 @@ func sortTokenByName(tokens []*corev1.Secret) {
 func genUser(id, name, email string) *kubermaticv1.User {
 	if len(id) == 0 {
 		// the name of the object is derived from the email address and encoded as sha256
-		id = fmt.Sprintf("%x", sha256.Sum256([]byte(email)))
+		id = fmt.Sprintf("%x", sha256.Sum256([]byte(strings.ToLower(email))))
 	}
 
 	h := sha512.New512_224()
@@ -114,7 +115,7 @@ func genUser(id, name, email string) *kubermaticv1.User {
 		},
 		Spec: kubermaticv1.UserSpec{
 			Name:  name,
-			Email: email,
+			Email: strings.ToLower(email),
 		},
 	}
 }
