OAuth account linking fails when email casing differs between provider and existing account
🐛BugOAuth related
Account linking fails during the OAuth flow if the email address returned by the OAuth provider has different casing than the email address already stored in the database.
While the email addresses are logically the same (e.g., johndoe@email.com and JohnDoe@email.com), the system treats them as distinct, preventing the automatic or manual linking of the OAuth identity to the existing user profile.
Steps to Reproduce:
1. Create an account using a standard email/password provider with a lowercase email: johndoe@email.com.
2. Attempt to sign in or link an account via an OAuth provider (e.g., Google or GitHub) where the primary email is returned with capital letters: JohnDoe@email.com.
3. Observe that the linking process fails or creates a duplicate user instead of linking to the existing record.
While the email addresses are logically the same (e.g., johndoe@email.com and JohnDoe@email.com), the system treats them as distinct, preventing the automatic or manual linking of the OAuth identity to the existing user profile.
Steps to Reproduce:
1. Create an account using a standard email/password provider with a lowercase email: johndoe@email.com.
2. Attempt to sign in or link an account via an OAuth provider (e.g., Google or GitHub) where the primary email is returned with capital letters: JohnDoe@email.com.
3. Observe that the linking process fails or creates a duplicate user instead of linking to the existing record.
