fix: apply lower case to all email invitations (#8121)

n1ru4l · gemini-code-assist[bot] · web-flow · commit 84d1f5c64f96 · 2026-06-05T18:02:48.000+02:00
Co-authored-by: gemini-code-assist[bot] &lt;176961590+gemini-code-assist[bot]@users.noreply.github.com&gt;
diff --git a/.changeset/real-dingos-punch.md b/.changeset/real-dingos-punch.md
@@ -0,0 +1,43 @@
+---
+'hive': patch
+---
+
+Fix issue where the user emails were not inserted in lower-case for OIDC providers returning non-lowercase emails.
+
+If you are affected, you can manually fix you database state by running the following commands, to make account-linking from different login methods work smoothly.
+
+```sql
+UPDATE "users"
+SET
+  "email" = lower("email")
+WHERE
+  "email" <> lower("email")
+;
+```
+
+
+```sql
+UPDATE "supertokens_thirdparty_users"
+SET
+  "email" = lower("email")
+WHERE
+  "email" <> lower("email")
+;
+```
+
+
+Fix issue where user emails were not inserted into the database in lowercase for invites, resulting in a mismatch of user account email and invite email that could not be accespted.
+To cleanup your database of invites, run the following command to identify duplicate records and then manually fix them/clean them up.
+
+```sql
+SELECT
+  "organization_id"
+  , lower(email) AS key
+  , array_agg(json_object(array['email', 'code', 'expires_at'], array["email", "code", to_json("expires_at")::text])) AS records
+  , COUNT(*)
+FROM
+  "organization_invitations"
+GROUP BY
+  "organization_id", lower("email")
+HAVING COUNT(*) > 1;
+```
diff --git a/packages/services/api/src/modules/auth/providers/email-verification.ts b/packages/services/api/src/modules/auth/providers/email-verification.ts
@@ -84,7 +84,7 @@ export class EmailVerification {
           FROM "email_verifications" "ev"
           WHERE
             "ev"."user_identity_id" = ${input.userIdentityId}
-            AND "ev"."email" = ${input.email}
+            AND lower("ev"."email") = lower(${input.email})
         `,
       )
       .then(v => EmailVerificationModel.nullable().parse(v));
@@ -143,7 +143,7 @@ export class EmailVerification {
           FROM "email_verifications" "ev"
           WHERE
             "ev"."user_identity_id" = ${input.userIdentityId}
-            AND "ev"."email" = ${superTokensUser.email}
+            AND lower("ev"."email") = lower(${superTokensUser.email})
         `,
       )
       .then(v => EmailVerificationModel.nullable().parse(v));
@@ -216,7 +216,7 @@ export class EmailVerification {
           FROM "email_verifications" "ev"
           WHERE
             "user_identity_id" = ${input.userIdentityId}
-            AND "email" = ${input.email}
+            AND lower("email") = lower(${input.email})
             AND "expires_at" IS NOT NULL
             AND "verified_at" IS NULL
         `,
diff --git a/packages/services/api/src/modules/auth/providers/supertokens-store.ts b/packages/services/api/src/modules/auth/providers/supertokens-store.ts
@@ -329,7 +329,7 @@ export class SuperTokensStore {
       UPDATE
         "supertokens_thirdparty_users"
       SET
-        "email" = ${args.newEmail}
+        "email" = lower(${args.newEmail})
       WHERE
         "app_id" = 'public'
         AND "user_id" = ${args.userId}
@@ -387,7 +387,7 @@ export class SuperTokensStore {
         , ${args.thirdPartyId}
         , ${args.thirdPartyUserId}
         , ${userId}
-        , ${args.email}
+        , lower(${args.email})
         , ${now}
       )
       RETURNING
@@ -560,7 +560,7 @@ export class SuperTokensStore {
        'public'
        , ${args.user.userId}
        , ${args.token}
-       , ${args.user.email}
+       , lower(${args.user.email})
        , ${args.expiresAt}
       )
       RETURNING
diff --git a/packages/services/server/src/supertokens-at-home.ts b/packages/services/server/src/supertokens-at-home.ts
@@ -1411,7 +1411,13 @@ export async function registerSupertokensAtHome(
         const userInfoBody = z
           .object({
             sub: z.string(),
-            email: z.string().optional().nullable(),
+            email: z
+              .string()
+              // make sure the email is transformed to lower-case
+              // sometimes the OIDC provider love giving us custom formatted ones
+              .transform(email => email.toLowerCase())
+              .optional()
+              .nullable(),
           })
           .safeParse(userInfoBodyJSON.data);
 
diff --git a/packages/services/storage/src/index.ts b/packages/services/storage/src/index.ts
@@ -282,10 +282,10 @@ export async function createStorage(
     },
     async ensureUserExists({
       superTokensUserId,
-      email,
       oidcIntegration,
       firstName,
       lastName,
+      ...args
     }: {
       superTokensUserId: string;
       firstName: string | null;
@@ -295,6 +295,7 @@ export async function createStorage(
         id: string;
       };
     }) {
+      const email = args.email.toLowerCase();
       class EnsureUserExistsError extends Error {}
 
       try {
@@ -326,7 +327,7 @@ export async function createStorage(
                 psql`/* ensureUserExists */
                   SELECT ${userFields(psql`"users".`)}
                   FROM "users"
-                  WHERE "users"."email" = ${email}
+                  WHERE "users"."email" = lower(${email})
                   ORDER BY "users"."created_at";
                 `,
               )
@@ -358,7 +359,7 @@ export async function createStorage(
                     DELETE FROM "organization_invitations" AS "oi"
                     WHERE
                       "oi"."organization_id" = ${oidcConfig.linkedOrganizationId}
-                      AND "oi"."email" = ${email}
+                      AND lower("oi"."email") = lower(${email})
                       AND "oi"."expires_at" > now()
                     RETURNING
                       "oi"."organization_id" "organizationId"
@@ -427,10 +428,10 @@ export async function createStorage(
           if (internalUser.email !== email) {
             await t.query(psql`
               UPDATE "users"
-              SET "email" = ${email}
+              SET "email" = lower(${email})
               WHERE "id" = ${internalUser.id}
             `);
-            internalUser.email = email;
+            internalUser.email = email.toLowerCase();
           }
 
           if (oidcIntegration !== null) {
@@ -958,7 +959,7 @@ export async function createStorage(
             )
             VALUES (
               ${args.organizationId}
-              , ${args.email}
+              , lower(${args.email})
               , ${args.roleId}
               , ${args.resourceAssignments === null ? null : psql.jsonb(args.resourceAssignments)}
             )
@@ -983,7 +984,9 @@ export async function createStorage(
           .maybeOne(
             psql`/* deleteOrganizationInvitationByEmail */
                 DELETE FROM organization_invitations
-                WHERE organization_id = ${organization} AND email = ${email}
+                WHERE
+                  organization_id = ${organization}
+                  AND email = lower(${email})
                 RETURNING
                   "organization_id" AS "organizationId"
                   , "code"
@@ -1210,7 +1213,7 @@ export async function createStorage(
           LEFT JOIN organization_invitations as i ON (i.organization_id = o.id)
           WHERE
             i.code = ${inviteCode}
-            AND i.email = ${email}
+            AND i.email = lower(${email})
             AND i.expires_at > NOW()
           GROUP BY o.id
           LIMIT 1
