fix: normalize email case to prevent duplicate accounts

src/providers/Email.ts

@@ -6,6 +6,7 @@
 
 import { GenericDataModel } from "convex/server";
 import { EmailConfig, EmailUserConfig } from "../server/types.js";
+import { normalizeEmail } from "../server/implementation/utils.js";
 
 /**
  * Email providers send a token to the user's email address
@@ -47,7 +48,10 @@ export function Email<DataModel extends GenericDataModel>(
           "Token verification requires an `email` in params of `signIn`.",
         );
       }
-      if (account.providerAccountId !== params.email) {
+      if (
+        normalizeEmail(account.providerAccountId as string) !==
+        normalizeEmail(params.email)
+      ) {
         throw new Error(
           "Short verification code requires a matching `email` " +
             "in params of `signIn`.",

src/providers/Password.ts

@@ -44,6 +44,7 @@ import {
 } from "convex/server";
 import { Value } from "convex/values";
 import { Scrypt } from "lucia";
+import { normalizeEmail } from "../server/implementation/utils.js";
 
 /**
  * The available options to a {@link Password} provider for Convex Auth.
@@ -256,6 +257,6 @@ function validateDefaultPasswordRequirements(password: string) {
 
 function defaultProfile(params: Record<string, unknown>) {
   return {
-    email: params.email as string,
+    email: normalizeEmail(params.email as string),
   };
 }

src/server/implementation/mutations/accountLookup.ts

@@ -0,0 +1,34 @@
+import { Doc, MutationCtx } from "../types.js";
+import { normalizeEmail } from "../utils.js";
+
+/**
+ * Look up an auth account by provider and account ID.
+ *
+ * Tries an exact match first, then falls back to a normalized (lowercased)
+ * lookup. This makes reads backward-compatible: accounts created before
+ * email normalization was introduced are still reachable by their original
+ * casing, while new (normalized) accounts are found on the fallback query.
+ */
+export async function findAccountByProviderAndId(
+  ctx: MutationCtx,
+  provider: string,
+  providerAccountId: string,
+): Promise<Doc<"authAccounts"> | null> {
+  const exact = await ctx.db
+    .query("authAccounts")
+    .withIndex("providerAndAccountId", (q) =>
+      q.eq("provider", provider).eq("providerAccountId", providerAccountId),
+    )
+    .unique();
+  if (exact !== null) return exact;
+
+  const normalized = normalizeEmail(providerAccountId);
+  if (normalized === providerAccountId) return null;
+
+  return await ctx.db
+    .query("authAccounts")
+    .withIndex("providerAndAccountId", (q) =>
+      q.eq("provider", provider).eq("providerAccountId", normalized),
+    )
+    .unique();
+}

src/server/implementation/mutations/createAccountFromCredentials.ts

@@ -5,6 +5,7 @@ import { ConvexCredentialsConfig } from "../../types.js";
 import { upsertUserAndAccount } from "../users.js";
 import { getAuthSessionId } from "../sessions.js";
 import { LOG_LEVELS, logWithLevel, maybeRedact } from "../utils.js";
+import { findAccountByProviderAndId } from "./accountLookup.js";
 
 export const createAccountFromCredentialsArgs = v.object({
   provider: v.string(),
@@ -37,12 +38,11 @@ export async function createAccountFromCredentialsImpl(
     shouldLinkViaPhone,
   } = args;
   const provider = getProviderOrThrow(providerId) as ConvexCredentialsConfig;
-  const existingAccount = await ctx.db
-    .query("authAccounts")
-    .withIndex("providerAndAccountId", (q) =>
-      q.eq("provider", provider.id).eq("providerAccountId", account.id),
-    )
-    .unique();
+  const existingAccount = await findAccountByProviderAndId(
+    ctx,
+    provider.id,
+    account.id,
+  );
   if (existingAccount !== null) {
     if (
       account.secret !== undefined &&

src/server/implementation/mutations/createVerificationCode.ts

@@ -4,7 +4,8 @@ import * as Provider from "../provider.js";
 import { EmailConfig, PhoneConfig } from "../../types.js";
 import { getAccountOrThrow, upsertUserAndAccount } from "../users.js";
 import { getAuthSessionId } from "../sessions.js";
-import { LOG_LEVELS, logWithLevel, sha256 } from "../utils.js";
+import { LOG_LEVELS, logWithLevel, normalizeEmail, sha256 } from "../utils.js";
+import { findAccountByProviderAndId } from "./accountLookup.js";
 
 export const createVerificationCodeArgs = v.object({
   accountId: v.optional(v.id("authAccounts")),
@@ -37,14 +38,7 @@ export async function createVerificationCodeImpl(
   const existingAccount =
     existingAccountId !== undefined
       ? await getAccountOrThrow(ctx, existingAccountId)
-      : await ctx.db
-          .query("authAccounts")
-          .withIndex("providerAndAccountId", (q) =>
-            q
-              .eq("provider", providerId)
-              .eq("providerAccountId", email ?? phone!),
-          )
-          .unique();
+      : await findAccountByProviderAndId(ctx, providerId, email ?? phone!);
 
   const provider = getProviderOrThrow(providerId, allowExtraProviders) as
     | EmailConfig
@@ -54,7 +48,10 @@ export async function createVerificationCodeImpl(
     await getAuthSessionId(ctx),
     existingAccount !== null
       ? { existingAccount }
-      : { providerAccountId: email ?? phone! },
+      : {
+          providerAccountId:
+            email !== undefined ? normalizeEmail(email) : phone!,
+        },
     provider.type === "email"
       ? { type: "email", provider, profile: { email: email! } }
       : { type: "phone", provider, profile: { phone: phone! } },
@@ -103,7 +100,7 @@ async function generateUniqueVerificationCode(
     provider,
     code: await sha256(code),
     expirationTime,
-    emailVerified: email,
+    emailVerified: email !== undefined ? normalizeEmail(email) : undefined,
     phoneVerified: phone,
   });
 }

src/server/implementation/mutations/modifyAccount.ts

@@ -2,6 +2,7 @@ import { Infer, v } from "convex/values";
 import { ActionCtx, MutationCtx } from "../types.js";
 import { GetProviderOrThrowFunc, hash } from "../provider.js";
 import { LOG_LEVELS, logWithLevel, maybeRedact } from "../utils.js";
+import { findAccountByProviderAndId } from "./accountLookup.js";
 
 export const modifyAccountArgs = v.object({
   provider: v.string(),
@@ -21,12 +22,11 @@ export async function modifyAccountImpl(
       secret: maybeRedact(account.secret ?? ""),
     },
   });
-  const existingAccount = await ctx.db
-    .query("authAccounts")
-    .withIndex("providerAndAccountId", (q) =>
-      q.eq("provider", provider).eq("providerAccountId", account.id),
-    )
-    .unique();
+  const existingAccount = await findAccountByProviderAndId(
+    ctx,
+    provider,
+    account.id,
+  );
   if (existingAccount === null) {
     throw new Error(
       `Cannot modify account with ID ${account.id} because it does not exist`,

src/server/implementation/mutations/retrieveAccountWithCredentials.ts

@@ -7,6 +7,7 @@ import {
 } from "../rateLimit.js";
 import * as Provider from "../provider.js";
 import { LOG_LEVELS, logWithLevel, maybeRedact } from "../utils.js";
+import { findAccountByProviderAndId } from "./accountLookup.js";
 
 export const retrieveAccountWithCredentialsArgs = v.object({
   provider: v.string(),
@@ -33,12 +34,11 @@ export async function retrieveAccountWithCredentialsImpl(
       secret: maybeRedact(account.secret ?? ""),
     },
   });
-  const existingAccount = await ctx.db
-    .query("authAccounts")
-    .withIndex("providerAndAccountId", (q) =>
-      q.eq("provider", providerId).eq("providerAccountId", account.id),
-    )
-    .unique();
+  const existingAccount = await findAccountByProviderAndId(
+    ctx,
+    providerId,
+    account.id,
+  );
   if (existingAccount === null) {
     return "InvalidAccountId";
   }

src/server/implementation/mutations/verifyCodeAndSignIn.ts

@@ -12,7 +12,7 @@ import {
   maybeGenerateTokensForSession,
 } from "../sessions.js";
 import { ConvexAuthConfig } from "../../types.js";
-import { LOG_LEVELS, logWithLevel, sha256 } from "../utils.js";
+import { LOG_LEVELS, logWithLevel, normalizeEmail, sha256 } from "../utils.js";
 import { upsertUserAndAccount } from "../users.js";
 
 export const verifyCodeAndSignInArgs = v.object({
@@ -39,7 +39,10 @@ export async function verifyCodeAndSignInImpl(
     allowExtraProviders: args.allowExtraProviders,
   });
   const { generateTokens, provider, allowExtraProviders } = args;
-  const identifier = args.params.email ?? args.params.phone;
+  const identifier =
+    args.params.email !== undefined
+      ? normalizeEmail(args.params.email)
+      : args.params.phone;
   if (identifier !== undefined) {
     if (await isSignInRateLimited(ctx, identifier, config)) {
       logWithLevel(

src/server/implementation/users.ts

@@ -1,7 +1,7 @@
 import { GenericId } from "convex/values";
 import { Doc, MutationCtx, QueryCtx } from "./types.js";
 import { AuthProviderMaterializedConfig, ConvexAuthConfig } from "../types.js";
-import { LOG_LEVELS, logWithLevel } from "./utils.js";
+import { LOG_LEVELS, logWithLevel, normalizeEmail } from "./utils.js";
 
 type CreateOrUpdateUserArgs = {
   type: "oauth" | "credentials" | "email" | "phone" | "verification";
@@ -127,6 +127,9 @@ async function defaultCreateOrUpdateUser(
     ...(emailVerified ? { emailVerificationTime: Date.now() } : null),
     ...(phoneVerified ? { phoneVerificationTime: Date.now() } : null),
     ...profile,
+    ...(typeof profile.email === "string"
+      ? { email: normalizeEmail(profile.email) }
+      : null),
   };
   const existingOrLinkedUserId = userId;
   if (userId !== null) {
@@ -163,13 +166,28 @@ async function defaultCreateOrUpdateUser(
   return userId;
 }
 
+/**
+ * Find a unique user with a verified email, using the same "try exact then
+ * normalized" strategy as {@link findAccountByProviderAndId} so that
+ * pre-normalization user records are still discoverable for account linking.
+ */
 async function uniqueUserWithVerifiedEmail(ctx: QueryCtx, email: string) {
   const users = await ctx.db
     .query("users")
     .withIndex("email", (q) => q.eq("email", email))
     .filter((q) => q.neq(q.field("emailVerificationTime"), undefined))
     .take(2);
-  return users.length === 1 ? users[0] : null;
+  if (users.length === 1) return users[0];
+
+  const normalized = normalizeEmail(email);
+  if (normalized === email) return null;
+
+  const normalizedUsers = await ctx.db
+    .query("users")
+    .withIndex("email", (q) => q.eq("email", normalized))
+    .filter((q) => q.neq(q.field("emailVerificationTime"), undefined))
+    .take(2);
+  return normalizedUsers.length === 1 ? normalizedUsers[0] : null;
 }
 
 async function uniqueUserWithVerifiedPhone(ctx: QueryCtx, phone: string) {
@@ -210,7 +228,12 @@ async function createOrUpdateAccount(
     await ctx.db.patch(accountId, { userId });
   }
   if (args.profile.emailVerified) {
-    await ctx.db.patch(accountId, { emailVerified: args.profile.email });
+    await ctx.db.patch(accountId, {
+      emailVerified:
+        typeof args.profile.email === "string"
+          ? normalizeEmail(args.profile.email)
+          : args.profile.email,
+    });
   }
   if (args.profile.phoneVerified) {
     await ctx.db.patch(accountId, { phoneVerified: args.profile.phone });

src/server/implementation/utils.ts

@@ -26,6 +26,17 @@ export function generateRandomString(length: number, alphabet: string) {
   return osloGenerateRandomString(random, alphabet, length);
 }
 
+/**
+ * Normalize an email address for storage and comparison.
+ *
+ * Per RFC 5321 the local part *can* be case-sensitive, but in practice
+ * no major provider treats it that way. We lowercase and trim so that
+ * `User@Example.com` and `user@example.com` resolve to the same account.
+ */
+export function normalizeEmail(email: string): string {
+  return email.toLowerCase().trim();
+}
+
 export function logError(error: unknown) {
   logWithLevel(
     LOG_LEVELS.ERROR,

test/convex/email.test.ts

@@ -81,6 +81,75 @@ test("redirectTo with email", async () => {
   vi.unstubAllGlobals();
 });
 
+test("OTP sign-in with different email casing reuses same account", async () => {
+  setupEnv();
+  const t = convexTest(schema);
+
+  // First OTP sign in with mixed case
+  let code;
+  vi.stubGlobal(
+    "fetch",
+    vi.fn(async (input, init) => {
+      if (
+        typeof input === "string" &&
+        input === "https://api.resend.com/emails"
+      ) {
+        code = init.body.match(/\?code=([^\s\\]+)/)?.[1];
+        return new Response(null, { status: 200 });
+      }
+      throw new Error("Unexpected fetch");
+    }),
+  );
+
+  await t.action(api.auth.signIn, {
+    provider: "resend",
+    params: { email: "Tom@Gmail.COM" },
+  });
+  vi.unstubAllGlobals();
+
+  const { tokens } = await t.action(api.auth.signIn, {
+    params: { code },
+  });
+  expect(tokens).not.toBeNull();
+
+  // Second OTP sign in with lowercase
+  let code2;
+  vi.stubGlobal(
+    "fetch",
+    vi.fn(async (input, init) => {
+      if (
+        typeof input === "string" &&
+        input === "https://api.resend.com/emails"
+      ) {
+        code2 = init.body.match(/\?code=([^\s\\]+)/)?.[1];
+        return new Response(null, { status: 200 });
+      }
+      throw new Error("Unexpected fetch");
+    }),
+  );
+
+  await t.action(api.auth.signIn, {
+    provider: "resend",
+    params: { email: "tom@gmail.com" },
+  });
+  vi.unstubAllGlobals();
+
+  const { tokens: tokens2 } = await t.action(api.auth.signIn, {
+    params: { code: code2 },
+  });
+  expect(tokens2).not.toBeNull();
+
+  // Verify only one user and one account
+  await t.run(async (ctx) => {
+    const users = await ctx.db.query("users").collect();
+    expect(users).toHaveLength(1);
+    expect(users[0].email).toBe("tom@gmail.com");
+    const accounts = await ctx.db.query("authAccounts").collect();
+    expect(accounts).toHaveLength(1);
+    expect(accounts[0].providerAccountId).toBe("tom@gmail.com");
+  });
+});
+
 function setupEnv() {
   process.env.SITE_URL = "http://localhost:5173";
   process.env.CONVEX_SITE_URL = CONVEX_SITE_URL;