fix: make email token extraction case-insensitive (#12460)

Resolves forgejo/forgejo#12436 Uppercase the token before verification as verification is case-sensitive. Some mail clients might've lower cased. Co-authored-by: Abidos <abdullah.sowilah@gmail.com> Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12460 Reviewed-by: Gusted <gusted@noreply.codeberg.org>
2026-06-22 10:02:15 +00:00 · 2026-05-30 13:29:28 +02:00 · 2026-05-30 13:29:28 +02:00 · 5b7bcf042c
commit 5b7bcf042c
parent 2f0f42272c
2 changed files with 17 additions and 1 deletions
--- a/services/mailer/token/token.go
+++ b/services/mailer/token/token.go
@ -82,7 +82,7 @@ func CreateToken(ht HandlerType, user *user_model.User, data []byte) (string, er

 // ExtractToken extracts the action/user tuple from the token and verifies the content
 func ExtractToken(ctx context.Context, token string) (HandlerType, *user_model.User, []byte, error) {
-	data, err := encodingWithoutPadding.DecodeString(token)
+	data, err := encodingWithoutPadding.DecodeString(util.ToUpperASCII(token))
 	if err != nil {
 		return UnknownHandlerType, nil, nil, err
 	}
--- a/tests/integration/incoming_email_test.go
+++ b/tests/integration/incoming_email_test.go
@ -76,6 +76,22 @@ func TestIncomingEmail(t *testing.T) {
 		assert.Equal(t, payload, p)
 	})

+	t.Run("Lowercase token", func(t *testing.T) {
+		defer tests.PrintCurrentTest(t)()
+
+		payload := []byte{1, 2, 3, 4, 5}
+
+		token, err := token_service.CreateToken(token_service.ReplyHandlerType, user, payload)
+		require.NoError(t, err)
+		assert.NotEmpty(t, token)
+
+		ht, u, p, err := token_service.ExtractToken(db.DefaultContext, strings.ToLower(token))
+		require.NoError(t, err)
+		assert.Equal(t, token_service.ReplyHandlerType, ht)
+		assert.Equal(t, user.ID, u.ID)
+		assert.Equal(t, payload, p)
+	})
+
 	tokenEncoding := base32.StdEncoding.WithPadding(base32.NoPadding)
 	t.Run("Deprecated token version", func(t *testing.T) {
 		defer tests.PrintCurrentTest(t)()