bug: email login is case-sensitive — same email with different capitalization creates duplicate workspaces

[saif-at-scalekit]

Summary

A user reported being unable to see their organization in the WebUI (Pylon #661). Root cause: two separate workspaces were created for the same email address due to a capitalization difference — robert.aletter@rmc-consult.de vs Robert.aletter@rmc-consult.de.

Root cause

Email addresses are treated case-sensitively during account lookup and login. When the user first signed up with one capitalization and later logged in with a different capitalization (common with mobile keyboards and email clients that auto-capitalize), the platform created a second, empty workspace instead of routing them to their existing one.

Impact

• The user sees an empty workspace — all configured organizations, SSO connections, and SCIM directories appear missing
• Requires manual ops intervention to merge or deactivate the duplicate workspace
• Any customer who varies capitalization in their email (including automated SSO login flows that may not preserve case) is at risk

Resolution applied

Ops manually merged the two workspaces: the correctly-configured workspace was kept and the duplicate was marked inactive. The user now lands in the correct workspace regardless of email capitalization.

Action needed

• Normalize email addresses to lowercase on account creation and during all login lookup paths
• Audit existing accounts for duplicates caused by this issue
• RFC 5321 treats the local-part of an email address as case-insensitive in practice — align platform behavior accordingly

References

• Pylon Add Linear tools docs #661: https://app.usepylon.com/issues?issueNumber=661