Handle Gmail plus-address aliases in account validation

wesm · claude · wesm · commit ea4624f5d08d · 2026-03-15T16:51:10.000-05:00
Gmail ignores +suffix in the local part, so user+tag@gmail.com is
the same account as user@gmail.com. normalizeGmailAddress now strips
the +suffix before comparing, preventing false TokenMismatchError
for users who use tagged Gmail addresses as their account identifier.

Co-Authored-By: Claude Opus 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/internal/oauth/oauth.go b/internal/oauth/oauth.go
@@ -352,6 +352,7 @@ func (m *Manager) resolveTokenEmail(
 // same Google account. This covers the common alias cases:
 //   - exact match (case-insensitive)
 //   - gmail.com dot-insensitive (first.last@gmail.com == firstlast@gmail.com)
+//   - gmail.com plus-address (user+tag@gmail.com == user@gmail.com)
 //   - googlemail.com ↔ gmail.com equivalence
 //
 // For Google Workspace domains we cannot verify aliases without an
@@ -369,9 +370,9 @@ func sameGoogleAccount(expected, canonical string) bool {
 }
 
 // normalizeGmailAddress returns a canonical form of a gmail.com or
-// googlemail.com address by lowercasing, removing dots from the local
-// part, and mapping googlemail.com → gmail.com. Returns "" for
-// non-Gmail addresses.
+// googlemail.com address by lowercasing, stripping +suffixes and dots
+// from the local part, and mapping googlemail.com → gmail.com.
+// Returns "" for non-Gmail addresses.
 func normalizeGmailAddress(email string) string {
 	at := strings.LastIndex(email, "@")
 	if at < 0 {
@@ -384,7 +385,10 @@ func normalizeGmailAddress(email string) string {
 		return ""
 	}
 
-	// Gmail ignores dots in the local part
+	// Gmail ignores dots and +suffixes in the local part
+	if plus := strings.Index(local, "+"); plus >= 0 {
+		local = local[:plus]
+	}
 	local = strings.ReplaceAll(local, ".", "")
 	return local + "@gmail.com"
 }
diff --git a/internal/oauth/oauth_test.go b/internal/oauth/oauth_test.go
@@ -787,6 +787,9 @@ func TestSameGoogleAccount(t *testing.T) {
 		{"exact match", "user@gmail.com", "user@gmail.com", true},
 		{"case insensitive", "User@Gmail.Com", "user@gmail.com", true},
 		{"dot insensitive", "first.last@gmail.com", "firstlast@gmail.com", true},
+		{"plus address", "user+tag@gmail.com", "user@gmail.com", true},
+		{"plus with dots", "f.oo+bar@gmail.com", "foo@gmail.com", true},
+		{"plus googlemail", "user+x@googlemail.com", "user@gmail.com", true},
 		{"googlemail alias", "user@googlemail.com", "user@gmail.com", true},
 		{"different users", "alice@gmail.com", "bob@gmail.com", false},
 		{"different domains", "user@example.com", "user@gmail.com", false},
@@ -819,6 +822,9 @@ func TestNormalizeGmailAddress(t *testing.T) {
 		{"first.last@gmail.com", "firstlast@gmail.com"},
 		{"user@googlemail.com", "user@gmail.com"},
 		{"f.i.r.s.t@googlemail.com", "first@gmail.com"},
+		{"user+tag@gmail.com", "user@gmail.com"},
+		{"user+@gmail.com", "user@gmail.com"},
+		{"f.o.o+bar@googlemail.com", "foo@gmail.com"},
 		{"user@example.com", ""},
 		{"noatsign", ""},
 	}
