fix: case sensitivity issue with email invites (#1486)

Fixes: HDX-3055
Fixes: #1482

Author: teeohhem

.changeset/tasty-clouds-listen.md

@@ -0,0 +1,5 @@
+---
+"@hyperdx/api": patch
+---
+
+fix: case sensitivity issue with email invites

packages/api/src/controllers/user.ts

@@ -12,14 +12,16 @@ export function findUserById(id: string) {
 }
 
 export function findUserByEmail(email: string) {
-  return User.findOne({ email });
+  // Case-insensitive email search - lowercase the email since User model stores emails in lowercase
+  return User.findOne({ email: email.toLowerCase() });
 }
 
 export async function findUserByEmailInTeam(
   email: string,
   team: string | ObjectId,
 ) {
-  return User.findOne({ email, team });
+  // Case-insensitive email search - lowercase the email since User model stores emails in lowercase
+  return User.findOne({ email: email.toLowerCase(), team });
 }
 
 export function findUsersByTeam(team: string | ObjectId) {

packages/api/src/routers/api/__tests__/team.test.ts

@@ -140,6 +140,75 @@ Array [
     expect(resp.body.url).toContain(`/join-team?token=${teamInvite.token}`);
   });
 
+  it('POST /team/invitation with different case reuses existing invitation', async () => {
+    const { agent } = await getLoggedInAgent(server);
+
+    // Create invitation with lowercase email
+    const resp1 = await agent
+      .post('/team/invitation')
+      .send({
+        email: '[email protected]',
+        name: 'Case Test',
+      })
+      .expect(200);
+
+    const firstInvite = await TeamInvite.findOne({
+      email: '[email protected]',
+    });
+    expect(firstInvite).not.toBeNull();
+    const firstToken = firstInvite!.token;
+
+    // Try to create invitation with uppercase email
+    const resp2 = await agent
+      .post('/team/invitation')
+      .send({
+        email: '[email protected]',
+        name: 'Case Test 2',
+      })
+      .expect(200);
+
+    // Should reuse the same invitation (same token)
+    const secondInvite = await TeamInvite.findOne({
+      email: '[email protected]',
+    });
+    expect(secondInvite).not.toBeNull();
+    expect(secondInvite!.token).toBe(firstToken);
+
+    // Should only have one invitation in the database
+    const allInvites = await TeamInvite.find({
+      email: '[email protected]',
+    });
+    expect(allInvites).toHaveLength(1);
+  });
+
+  it('POST /team/invitation rejects existing user regardless of email case', async () => {
+    const { agent, team } = await getLoggedInAgent(server);
+
+    // Create a user with lowercase email
+    await User.create({
+      email: '[email protected]',
+      team: team.id,
+    });
+
+    // Try to invite with different casing - should be rejected
+    await agent
+      .post('/team/invitation')
+      .send({
+        email: '[email protected]',
+        name: 'Existing User',
+      })
+      .expect(400);
+
+    // Try to invite with exact same casing - should also be rejected
+    await agent
+      .post('/team/invitation')
+      .send({
+        email: '[email protected]',
+        name: 'Existing User',
+      })
+      .expect(400);
+  });
+
   it('GET /team/invitations', async () => {
     const { agent } = await getLoggedInAgent(server);
     await Promise.all([

packages/api/src/routers/api/team.ts

@@ -151,16 +151,20 @@ router.post(
         });
       }
 
+      // Normalize email to lowercase for consistency
+      const normalizedEmail = toEmail.toLowerCase();
+
+      // Check for existing invitation with normalized email
       let teamInvite = await TeamInvite.findOne({
         teamId,
-        email: toEmail, // TODO: case insensitive ?
+        email: normalizedEmail,
       });
 
       if (!teamInvite) {
         teamInvite = await new TeamInvite({
           teamId,
           name,
-          email: toEmail, // TODO: case insensitive ?
+          email: normalizedEmail,
           token: crypto.randomBytes(32).toString('hex'),
         }).save();
       }