From 0819dffde9882721bb9270d67061b638efbcc19c Mon Sep 17 00:00:00 2001
From: hjlarry <hjlarry@163.com>
Date: Sat, 20 Dec 2025 16:17:16 +0800
Subject: [PATCH] web login email lower

---
 api/controllers/web/login.py                  | 10 ++-
 api/services/webapp_auth_service.py           |  5 +-
 .../unit_tests/controllers/web/test_login.py  | 86 +++++++++++++++++++
 3 files changed, 95 insertions(+), 6 deletions(-)
 create mode 100644 api/tests/unit_tests/controllers/web/test_login.py

diff --git a/api/controllers/web/login.py b/api/controllers/web/login.py
index 538d0c44be..05267757cf 100644
--- a/api/controllers/web/login.py
+++ b/api/controllers/web/login.py
@@ -190,25 +190,27 @@ class EmailCodeLoginApi(Resource):
         )
         args = parser.parse_args()
 
-        user_email = args["email"]
+        user_email = args["email"].lower()
 
         token_data = WebAppAuthService.get_email_code_login_data(args["token"])
         if token_data is None:
             raise InvalidTokenError()
 
-        if token_data["email"] != args["email"]:
+        token_email = token_data.get("email")
+        normalized_token_email = token_email.lower() if isinstance(token_email, str) else token_email
+        if normalized_token_email != user_email:
             raise InvalidEmailError()
 
         if token_data["code"] != args["code"]:
             raise EmailCodeError()
 
         WebAppAuthService.revoke_email_code_login_token(args["token"])
-        account = WebAppAuthService.get_user_through_email(user_email)
+        account = WebAppAuthService.get_user_through_email(token_email)
         if not account:
             raise AuthenticationFailedError()
 
         token = WebAppAuthService.login(account=account)
-        AccountService.reset_login_error_rate_limit(args["email"])
+        AccountService.reset_login_error_rate_limit(user_email)
         response = make_response({"result": "success", "data": {"access_token": token}})
         # set_access_token_to_cookie(request, response, token, samesite="None", httponly=False)
         return response
diff --git a/api/services/webapp_auth_service.py b/api/services/webapp_auth_service.py
index 9bd797a45f..5ca0b63001 100644
--- a/api/services/webapp_auth_service.py
+++ b/api/services/webapp_auth_service.py
@@ -12,6 +12,7 @@ from libs.passport import PassportService
 from libs.password import compare_password
 from models import Account, AccountStatus
 from models.model import App, EndUser, Site
+from services.account_service import AccountService
 from services.app_service import AppService
 from services.enterprise.enterprise_service import EnterpriseService
 from services.errors.account import AccountLoginError, AccountNotFoundError, AccountPasswordError
@@ -32,7 +33,7 @@ class WebAppAuthService:
     @staticmethod
     def authenticate(email: str, password: str) -> Account:
         """authenticate account with email and password"""
-        account = db.session.query(Account).filter_by(email=email).first()
+        account = AccountService.get_account_by_email_with_case_fallback(email)
         if not account:
             raise AccountNotFoundError()
 
@@ -52,7 +53,7 @@ class WebAppAuthService:
 
     @classmethod
     def get_user_through_email(cls, email: str):
-        account = db.session.query(Account).where(Account.email == email).first()
+        account = AccountService.get_account_by_email_with_case_fallback(email)
         if not account:
             return None
 
diff --git a/api/tests/unit_tests/controllers/web/test_login.py b/api/tests/unit_tests/controllers/web/test_login.py
new file mode 100644
index 0000000000..8b6b34d2f9
--- /dev/null
+++ b/api/tests/unit_tests/controllers/web/test_login.py
@@ -0,0 +1,86 @@
+from types import SimpleNamespace
+from unittest.mock import MagicMock, patch
+
+import pytest
+from flask import Flask
+
+from controllers.web.login import EmailCodeLoginApi, EmailCodeLoginSendEmailApi
+
+
+@pytest.fixture
+def app():
+    flask_app = Flask(__name__)
+    flask_app.config["TESTING"] = True
+    return flask_app
+
+
+@pytest.fixture(autouse=True)
+def _patch_wraps():
+    wraps_features = SimpleNamespace(enable_email_password_login=True)
+    console_dify = SimpleNamespace(ENTERPRISE_ENABLED=True, EDITION="CLOUD")
+    web_dify = SimpleNamespace(ENTERPRISE_ENABLED=True)
+    with (
+        patch("controllers.console.wraps.db") as mock_db,
+        patch("controllers.console.wraps.dify_config", console_dify),
+        patch("controllers.console.wraps.FeatureService.get_system_features", return_value=wraps_features),
+        patch("controllers.web.login.dify_config", web_dify),
+    ):
+        mock_db.session.query.return_value.first.return_value = MagicMock()
+        yield
+
+
+class TestEmailCodeLoginSendEmailApi:
+    @patch("controllers.web.login.WebAppAuthService.send_email_code_login_email")
+    @patch("controllers.web.login.WebAppAuthService.get_user_through_email")
+    def test_should_fetch_account_with_original_email(
+        self,
+        mock_get_user,
+        mock_send_email,
+        app,
+    ):
+        mock_account = MagicMock()
+        mock_get_user.return_value = mock_account
+        mock_send_email.return_value = "token-123"
+
+        with app.test_request_context(
+            "/web/email-code-login",
+            method="POST",
+            json={"email": "User@Example.com", "language": "en-US"},
+        ):
+            response = EmailCodeLoginSendEmailApi().post()
+
+        assert response == {"result": "success", "data": "token-123"}
+        mock_get_user.assert_called_once_with("User@Example.com")
+        mock_send_email.assert_called_once_with(account=mock_account, language="en-US")
+
+
+class TestEmailCodeLoginApi:
+    @patch("controllers.web.login.AccountService.reset_login_error_rate_limit")
+    @patch("controllers.web.login.WebAppAuthService.login", return_value="new-access-token")
+    @patch("controllers.web.login.WebAppAuthService.get_user_through_email")
+    @patch("controllers.web.login.WebAppAuthService.revoke_email_code_login_token")
+    @patch("controllers.web.login.WebAppAuthService.get_email_code_login_data")
+    def test_should_normalize_email_before_validating(
+        self,
+        mock_get_token_data,
+        mock_revoke_token,
+        mock_get_user,
+        mock_login,
+        mock_reset_login_rate,
+        app,
+    ):
+        mock_get_token_data.return_value = {"email": "User@Example.com", "code": "123456"}
+        mock_get_user.return_value = MagicMock()
+
+        with app.test_request_context(
+            "/web/email-code-login/validity",
+            method="POST",
+            json={"email": "User@Example.com", "code": "123456", "token": "token-123"},
+        ):
+            response = EmailCodeLoginApi().post()
+
+        assert response.get_json() == {"result": "success", "data": {"access_token": "new-access-token"}}
+        mock_get_user.assert_called_once_with("User@Example.com")
+        mock_revoke_token.assert_called_once_with("token-123")
+        mock_login.assert_called_once()
+        mock_reset_login_rate.assert_called_once_with("user@example.com")