feat(API): permissive email check in login, reset & verification (#6648)

* feat(API): permissive email check in reset & verification

In order to not force users to be case sensitive when asking for
password reset or resend email verification. When there's multiple
emails where the only difference in the local is the capitalized
letters, in those cases the users has to be case sensitive.

closes #6570

* feat(API/login): permissive email handling

Allow case insensitive email when there's no other candidate.

closes #6570

* code review changes

* Fix tests

* Add more duplicate email checks

---------

Co-authored-by: Chocobozzz <me@florianbigard.com>

server/core/lib/auth/oauth.ts

@@ -154,12 +154,14 @@ async function handlePasswordGrant (options: {
 
   const user = await getUser(usernameOrEmail, password, bypassLogin)
   if (!user) {
-    const registration = await UserRegistrationModel.loadByEmailOrUsername(usernameOrEmail)
+    const registrations = await UserRegistrationModel.listByEmailCaseInsensitiveOrUsername(usernameOrEmail)
 
-    if (registration?.state === UserRegistrationState.REJECTED) {
-      throw new RegistrationApprovalRejected('Registration approval for this account has been rejected')
-    } else if (registration?.state === UserRegistrationState.PENDING) {
-      throw new RegistrationWaitingForApproval('Registration for this account is awaiting approval')
+    if (registrations.length === 1) {
+      if (registrations[0].state === UserRegistrationState.REJECTED) {
+        throw new RegistrationApprovalRejected('Registration approval for this account has been rejected')
+      } else if (registrations[0].state === UserRegistrationState.PENDING) {
+        throw new RegistrationWaitingForApproval('Registration for this account is awaiting approval')
+      }
     }
 
     throw new InvalidGrantError('Invalid grant: user credentials are invalid')