fix: normalize email addresses for admin authentication (#13)

* fix: normalize email addresses for admin authentication

- Add centralized email normalization in internal/utils/email.go
- Normalize emails to lowercase and trim whitespace
- Apply normalization during config loading and auth checks
- Add comprehensive tests for email normalization
- Fixes issue where admin emails with different cases or whitespace were not recognized

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <[email protected]>

* style: fix formatting and add missing newlines

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <[email protected]>

---------

Co-authored-by: Claude <[email protected]>

Author: dgellow

internal/auth/admin.go

@@ -5,6 +5,7 @@ import (
 
 	"github.com/dgellow/mcp-front/internal/config"
 	"github.com/dgellow/mcp-front/internal/storage"
+	"github.com/dgellow/mcp-front/internal/utils"
 )
 
 // IsAdmin checks if a user is admin (either config-based or promoted)
@@ -13,8 +14,11 @@ func IsAdmin(ctx context.Context, email string, adminConfig *config.AdminConfig,
 		return false
 	}
 
+	// Normalize the input email
+	normalizedEmail := utils.NormalizeEmail(email)
+
 	// Check if user is a config admin (super admin)
-	if IsConfigAdmin(email, adminConfig) {
+	if IsConfigAdmin(normalizedEmail, adminConfig) {
 		return true
 	}
 
@@ -23,7 +27,7 @@ func IsAdmin(ctx context.Context, email string, adminConfig *config.AdminConfig,
 		users, err := store.GetAllUsers(ctx)
 		if err == nil {
 			for _, user := range users {
-				if user.Email == email && user.IsAdmin {
+				if utils.NormalizeEmail(user.Email) == normalizedEmail && user.IsAdmin {
 					return true
 				}
 			}
@@ -39,8 +43,13 @@ func IsConfigAdmin(email string, adminConfig *config.AdminConfig) bool {
 		return false
 	}
 
+	// Email should already be normalized by the caller, but normalize anyway for safety
+	normalizedEmail := utils.NormalizeEmail(email)
+
 	for _, adminEmail := range adminConfig.AdminEmails {
-		if email == adminEmail {
+		// Admin emails should be normalized during config load, but we normalize here too
+		// to handle any legacy configs or manual edits
+		if utils.NormalizeEmail(adminEmail) == normalizedEmail {
 			return true
 		}
 	}

internal/auth/admin_test.go

@@ -0,0 +1,171 @@
+package auth
+
+import (
+	"context"
+	"testing"
+
+	"github.com/dgellow/mcp-front/internal/config"
+	"github.com/dgellow/mcp-front/internal/storage"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestIsConfigAdmin(t *testing.T) {
+	adminConfig := &config.AdminConfig{
+		Enabled: true,
+		AdminEmails: []string{
+			"[email protected]",
+			"[email protected]",
+			"  [email protected]  ",
+		},
+	}
+
+	tests := []struct {
+		name     string
+		email    string
+		expected bool
+	}{
+		{
+			name:     "exact match lowercase",
+			email:    "[email protected]",
+			expected: true,
+		},
+		{
+			name:     "uppercase input for lowercase config",
+			email:    "[email protected]",
+			expected: true,
+		},
+		{
+			name:     "mixed case input",
+			email:    "[email protected]",
+			expected: true,
+		},
+		{
+			name:     "exact match uppercase config",
+			email:    "[email protected]",
+			expected: true,
+		},
+		{
+			name:     "whitespace in input",
+			email:    "  [email protected]  ",
+			expected: true,
+		},
+		{
+			name:     "match config with whitespace",
+			email:    "[email protected]",
+			expected: true,
+		},
+		{
+			name:     "non-admin email",
+			email:    "[email protected]",
+			expected: false,
+		},
+		{
+			name:     "empty email",
+			email:    "",
+			expected: false,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			result := IsConfigAdmin(tt.email, adminConfig)
+			assert.Equal(t, tt.expected, result, "IsConfigAdmin(%q, adminConfig)", tt.email)
+		})
+	}
+}
+
+func TestIsConfigAdmin_NilOrDisabled(t *testing.T) {
+	tests := []struct {
+		name        string
+		adminConfig *config.AdminConfig
+		email       string
+		expected    bool
+	}{
+		{
+			name:        "nil admin config",
+			adminConfig: nil,
+			email:       "[email protected]",
+			expected:    false,
+		},
+		{
+			name: "disabled admin config",
+			adminConfig: &config.AdminConfig{
+				Enabled:     false,
+				AdminEmails: []string{"[email protected]"},
+			},
+			email:    "[email protected]",
+			expected: false,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			result := IsConfigAdmin(tt.email, tt.adminConfig)
+			assert.Equal(t, tt.expected, result, "IsConfigAdmin(%q, %v)", tt.email, tt.adminConfig)
+		})
+	}
+}
+
+func TestIsAdmin(t *testing.T) {
+	ctx := context.Background()
+
+	// Create a mock storage with a promoted admin
+	store := storage.NewMemoryStorage()
+	// Create users and set admin status
+	require.NoError(t, store.UpsertUser(ctx, "[email protected]"), "Failed to upsert promoted user") // Uppercase to test normalization
+	require.NoError(t, store.SetUserAdmin(ctx, "[email protected]", true), "Failed to set user as admin")
+	require.NoError(t, store.UpsertUser(ctx, "[email protected]"), "Failed to upsert regular user")
+	// [email protected] remains non-admin by default
+
+	adminConfig := &config.AdminConfig{
+		Enabled: true,
+		AdminEmails: []string{
+			"[email protected]",
+		},
+	}
+
+	tests := []struct {
+		name     string
+		email    string
+		expected bool
+	}{
+		{
+			name:     "config admin with exact case",
+			email:    "[email protected]",
+			expected: true,
+		},
+		{
+			name:     "config admin with different case",
+			email:    "[email protected]",
+			expected: true,
+		},
+		{
+			name:     "promoted admin with exact case",
+			email:    "[email protected]",
+			expected: true,
+		},
+		{
+			name:     "promoted admin with different case",
+			email:    "[email protected]",
+			expected: true,
+		},
+		{
+			name:     "regular user",
+			email:    "[email protected]",
+			expected: false,
+		},
+		{
+			name:     "unknown user",
+			email:    "[email protected]",
+			expected: false,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			result := IsAdmin(ctx, tt.email, adminConfig, store)
+			assert.Equal(t, tt.expected, result, "IsAdmin(ctx, %q, adminConfig, store)", tt.email)
+		})
+	}
+}

internal/config/unmarshal.go

@@ -6,6 +6,8 @@ import (
 	"regexp"
 	"strings"
 	"time"
+
+	"github.com/dgellow/mcp-front/internal/utils"
 )
 
 // UnmarshalJSON implements custom unmarshaling for MCPClientConfig
@@ -204,6 +206,15 @@ func (p *ProxyConfig) UnmarshalJSON(data []byte) error {
 	p.Name = raw.Name
 	p.Admin = raw.Admin
 
+	// Normalize admin emails for consistent comparison
+	if p.Admin != nil && len(p.Admin.AdminEmails) > 0 {
+		normalizedEmails := make([]string, len(p.Admin.AdminEmails))
+		for i, email := range p.Admin.AdminEmails {
+			normalizedEmails[i] = utils.NormalizeEmail(email)
+		}
+		p.Admin.AdminEmails = normalizedEmails
+	}
+
 	// Parse BaseURL
 	if raw.BaseURL != nil {
 		parsed, err := ParseConfigValue(raw.BaseURL)

internal/utils/email.go

@@ -0,0 +1,9 @@
+package utils
+
+import "strings"
+
+// NormalizeEmail normalizes an email address for consistent comparison
+// by converting to lowercase and trimming whitespace
+func NormalizeEmail(email string) string {
+	return strings.ToLower(strings.TrimSpace(email))
+}

internal/utils/email_test.go

@@ -0,0 +1,68 @@
+package utils
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestNormalizeEmail(t *testing.T) {
+	tests := []struct {
+		name     string
+		input    string
+		expected string
+	}{
+		{
+			name:     "lowercase email",
+			input:    "[email protected]",
+			expected: "[email protected]",
+		},
+		{
+			name:     "uppercase email",
+			input:    "[email protected]",
+			expected: "[email protected]",
+		},
+		{
+			name:     "mixed case email",
+			input:    "[email protected]",
+			expected: "[email protected]",
+		},
+		{
+			name:     "email with leading whitespace",
+			input:    "  [email protected]",
+			expected: "[email protected]",
+		},
+		{
+			name:     "email with trailing whitespace",
+			input:    "[email protected]  ",
+			expected: "[email protected]",
+		},
+		{
+			name:     "email with surrounding whitespace",
+			input:    "  [email protected]  ",
+			expected: "[email protected]",
+		},
+		{
+			name:     "email with tabs and newlines",
+			input:    "\t\n[email protected]\n\t",
+			expected: "[email protected]",
+		},
+		{
+			name:     "empty string",
+			input:    "",
+			expected: "",
+		},
+		{
+			name:     "only whitespace",
+			input:    "   \t\n   ",
+			expected: "",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			result := NormalizeEmail(tt.input)
+			assert.Equal(t, tt.expected, result, "NormalizeEmail(%q)", tt.input)
+		})
+	}
+}