fix: normalize oauth emails before matching users

[tristanbob]

Changes

• Normalize the OAuth email before looking up an existing user.
• Reuse the normalized email when creating a new OAuth user record.
• Add a regression test for the case where the provider returns a mixed-case email for an already-existing lowercase user.

(This is Tristan, a human, and have review this PR for accuracy)

Issues

• Fixes [Bug]: Google OAuth fails when provider returns mixed-case email #9487
• Possible duplicates: [Bug]: Issue with Authentik and Coolify OAuth (Failed to process callback from login provider.) #5498, [Bug]: Zitadel oauth error #6681

Category

• Bug fix
• Improvement
• New feature
• Adding new one click service
• Fixing or updating existing one click service

Preview

N/A. This is a backend auth bug fix with no UI change.

AI Assistance

• AI was NOT used to create this PR
• AI was used (please describe below)

If AI was used:

• Tools used: Codex / GPT-5
• How extensively: AI was used to investigate the bug, prepare the patch, and add a regression test. The final change was validated manually and tested locally before opening the PR.

Testing

• Reproduced the bug locally with Google OAuth returning a mixed-case email for an existing user.
• Confirmed the old behavior failed to match the existing user and could fall through to a duplicate-email create path.
• Verified the fix logs in the existing user successfully when the provider returns a mixed-case email.
• Ran php artisan test --compact tests/Feature/OauthControllerTest.php
• Ran vendor/bin/pint --dirty --format agent

Contributor Agreement

Important

• I have read and understood the contributor guidelines. If I have failed to follow any guideline, I understand that this PR may be closed without review.
• I have searched existing issues and pull requests (including closed ones) to ensure this isn't a duplicate.
• I have tested all the changes thoroughly with a local development instance of Coolify and I am confident that they will work as expected when a maintainer tests them.

[Iisyourdad]

Nice catch and fix @tristanbob for the mixed-case lookup issue. There's one huge edge case that needs to be looked at though, if a provider returns no email, (string) $oauthUser->email will turn that into '', so the callback can continue with an empty email instead of failing.

That means we could end up querying whereEmail(''), and if registration is enabled, potentially creating an OAuth user with an empty email.

Can you add an explicit non-empty email check before normalizing plus a small regression test for null / blank provider emails?

TLDR: One huge edge case: casting $oauthUser->email to string means a missing email becomes '' so the OAuth flow can continue with an empty email rather than failing.

My suggested fix is...

$oauthUser = get_socialite_provider($provider)->user();

$email = trim((string) $oauthUser->email);

if ($email === '') {
    abort(403, 'OAuth provider did not return an email address');
}

$email = strtolower($email);
$user = User::whereEmail($email)->first();

if (! $user) {
    $settings = instanceSettings();
    if (! $settings->is_registration_enabled) {
        abort(403, 'Registration is disabled');
    }

    $user = User::create([
        'name' => $oauthUser->name,
        'email' => $email,
    ]);
}