Gmail users can create multiple accounts with the same email #1423

sahar2339 · 2024-07-20T11:33:07Z

sahar2339
Jul 20, 2024

Describe the bug

FastAPI Users doesn't correctly handle Gmail addresses with dots. Gmail treats addresses with and without dots as the same (e.g., [email protected] and [email protected] are identical), but FastAPI Users allows creating separate accounts for these variations. This can lead to security and user management issues.

To Reproduce

Steps to reproduce the behavior:

Set up a FastAPI Users instance with email authentication.
Create a user account with the email [email protected].
Attempt to create another account with the email [email protected].
Observe that the second account is created successfully, despite representing the same Gmail address.

Expected behavior

FastAPI Users should recognize that Gmail addresses with different dot placements are equivalent and prevent the creation of duplicate accounts. When attempting to create an account with a Gmail address that's identical except for dot placement, it should either:

Reject the new account creation, or
Treat it as a login attempt for the existing account

Configuration

Python version: 3.12
FastAPI version: 0.111.0
FastAPI Users version: 13.0.0

Additional context

This issue only affects Gmail addresses, as other email providers may treat dots differently.
Implementing a fix will require careful consideration of existing user accounts and potential database migrations.
A similar approach might be needed for Gmail's "+" alias feature (e.g., [email protected]).
Reference: Gmail Help: Using dots in Gmail addresses

frankie567 · 2024-07-21T07:10:45Z

frankie567
Jul 21, 2024
Maintainer

I've tried on several big services like GitHub, and they do not treat Gmail addresses differently. You can very well register another account by adding a dot inside the address. Same for the "+" alias.

I'm not really favorable to blocking that behavior by default. It's quite similar to websites that want to block temporary email addresses. If you want to prevent multiple Gmail accounts, I suggest you add your own logic by overloading the create method:

fastapi-users/fastapi_users/manager.py

Lines 110 to 147 in c0c4da9

    
               async def create( 
        
                   self, 
        
                   user_create: schemas.UC, 
        
                   safe: bool = False, 
        
                   request: Optional[Request] = None, 
        
               ) -> models.UP: 
        
                   """ 
        
                   Create a user in database. 
        
                   Triggers the on_after_register handler on success. 
        
                   :param user_create: The UserCreate model to create. 
        
                   :param safe: If True, sensitive values like is_superuser or is_verified 
        
                   will be ignored during the creation, defaults to False. 
        
                   :param request: Optional FastAPI request that 
        
                   triggered the operation, defaults to None. 
        
                   :raises UserAlreadyExists: A user already exists with the same e-mail. 
        
                   :return: A new user. 
        
                   """ 
        
                   await self.validate_password(user_create.password, user_create) 
        
                   existing_user = await self.user_db.get_by_email(user_create.email) 
        
                   if existing_user is not None: 
        
                       raise exceptions.UserAlreadyExists() 
        
                   user_dict = ( 
        
                       user_create.create_update_dict() 
        
                       if safe 
        
                       else user_create.create_update_dict_superuser() 
        
                   ) 
        
                   password = user_dict.pop("password") 
        
                   user_dict["hashed_password"] = self.password_helper.hash(password) 
        
                   created_user = await self.user_db.create(user_dict) 
        
                   await self.on_after_register(created_user, request) 
        
                   return created_user

0 replies

sahar2339 · 2024-07-27T12:20:22Z

sahar2339
Jul 27, 2024
Author

Thank you, it seems fair

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Gmail users can create multiple accounts with the same email #1423

Uh oh!

{{title}}

Uh oh!

Replies: 2 comments

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Select a reply

Uh oh!

Uh oh!

Gmail users can create multiple accounts with the same email #1423

Uh oh!

sahar2339 Jul 20, 2024

Describe the bug

To Reproduce

Expected behavior

Configuration

Additional context

Replies: 2 comments

Uh oh!

frankie567 Jul 21, 2024 Maintainer

Uh oh!

sahar2339 Jul 27, 2024 Author

sahar2339
Jul 20, 2024

frankie567
Jul 21, 2024
Maintainer

sahar2339
Jul 27, 2024
Author