fix(#7787): Added userInsensitive for comparrison checks in dbAuth

docs/docs/auth/dbauth.md

@@ -248,6 +248,27 @@ resetPassword: {
 
 This handler is invoked after the password has been successfully changed in the database. Returning something truthy (like `return user`) will automatically log the user in after their password is changed. If you'd like to return them to the login page and make them log in manually, `return false` and redirect the user in the Reset Password page.
 
+### usernameMatch
+
+This configuration allows you to perform a case insensitive check on a username at the point of user creation.
+
+```javascript
+signup: {
+  userMatch: 'insensitive'
+}
+```
+
+By default no setting is required. This is because each db has its own rules for enabling this feature. To enable please see the table below and pick the correct 'userMatchString' for your db of choice.
+
+| DB | Default  | userMatchString  | notes |
+|---|---|---|---|
+| Postgres  | 'default'  | 'insensitive'  | |
+| MySQL  | 'case-insensitive'  | N/A  | turned on by default so no setting required |
+| MongoDB  | 'default'  | 'insensitive'  |
+| SQLite | N/A  | N/A  | [Not Supported] Insensitive checks can only be defined at a per column level |
+| Microsoft SQL Server | 'case-insensitive' | N/A | turned on by default so no setting required |
+
+
 ### Cookie config
 
 These options determine how the cookie that tracks whether the client is authorized is stored in the browser. The default configuration should work for most use cases. If you serve your web and api sides from different domains you'll need to make some changes: set `SameSite` to `None` and then add [CORS configuration](#cors-config).

packages/auth-providers/dbAuth/api/src/DbAuthHandler.ts

@@ -67,6 +67,11 @@ interface SignupFlowOptions {
     usernameTaken?: string
     flowNotEnabled?: string
   }
+
+  /**
+   * Allows the user to define if the UserCheck for their selected db provider should use case insensitive
+   */
+  usernameMatch?: string
 }
 
 interface ForgotPasswordFlowOptions<TUser = Record<string | number, any>> {
@@ -1282,8 +1287,22 @@ export class DbAuthHandler<
       this._validateField('username', username) &&
       this._validateField('password', password)
     ) {
+      // Each db provider has it owns rules for case insensitive comparison.
+      // We are checking if you have defined one for your db choice here
+      // https://www.prisma.io/docs/concepts/components/prisma-client/case-sensitivity
+      const usernameMatchFlowOption = (this.options.signup as SignupFlowOptions)
+        ?.usernameMatch
+      const findUniqueUserMatchCriteriaOptions = !usernameMatchFlowOption
+        ? { [this.options.authFields.username]: username }
+        : {
+            [this.options.authFields.username]: {
+              equals: username,
+              mode: usernameMatchFlowOption,
+            },
+          }
+
       const user = await this.dbAccessor.findUnique({
-        where: { [this.options.authFields.username]: username },
+        where: findUniqueUserMatchCriteriaOptions,
       })
       if (user) {
         throw new DbAuthError.DuplicateUsernameError(

packages/auth-providers/dbAuth/api/src/__tests__/DbAuthHandler.test.js

@@ -2340,6 +2340,55 @@ describe('dbAuth', () => {
       expect.assertions(2)
     })
 
+    it('createUser db check is called with insensitive string when user has provided one in SignupFlowOptions', async () => {
+      const spy = jest.spyOn(db.user, 'findUnique')
+      options.signup.usernameMatch = 'insensitive'
+
+      const dbUser = await createDbUser()
+      event.body = JSON.stringify({
+        username: dbUser.email,
+        password: 'password',
+      })
+      const dbAuth = new DbAuthHandler(event, context, options)
+
+      await dbAuth._createUser()
+      expect(spy).toHaveBeenCalled()
+      return expect(spy).toHaveBeenCalledWith({
+        where: {
+          email: expect.objectContaining({ mode: 'insensitive' }),
+        },
+      })
+    })
+
+    it('createUser db check is not called with insensitive string when user has not provided one in SignupFlowOptions', async () => {
+      jest.resetAllMocks()
+      jest.clearAllMocks()
+
+      const defaultMessage = options.signup.errors.usernameTaken
+      const spy = jest.spyOn(db.user, 'findUnique')
+      delete options.signup.usernameMatch
+
+      const dbUser = await createDbUser()
+      event.body = JSON.stringify({
+        username: dbUser.email,
+        password: 'password',
+      })
+      const dbAuth = new DbAuthHandler(event, context, options)
+      await dbAuth._createUser().catch((e) => {
+        expect(e).toBeInstanceOf(dbAuthError.DuplicateUsernameError)
+        expect(e.message).toEqual(
+          defaultMessage.replace(/\$\{username\}/, dbUser.email)
+        )
+      })
+
+      expect(spy).toHaveBeenCalled()
+      return expect(spy).not.toHaveBeenCalledWith({
+        where: {
+          email: expect.objectContaining({ mode: 'insensitive' }),
+        },
+      })
+    })
+
     it('throws a default error message if username is missing', async () => {
       const defaultMessage = options.signup.errors.fieldMissing
       delete options.signup.errors.fieldMissing