supabase · lingcoder · Nov 21, 2025 · Nov 30, 2025 · Nov 30, 2025
@@ -52,7 +52,9 @@ func ParseMessage(raw string) (*SIWEMessage, error) {
 		return nil, ErrInvalidDomain
 	}
 
-	address := strings.TrimSpace(lines[1])
+	// Normalize Ethereum addresses to lowercase to prevent case-sensitivity issues
+	// Ethereum addresses are case-insensitive (EIP-55 uses mixed case for checksum)
+	address := strings.ToLower(strings.TrimSpace(lines[1]))
 	if !addressPattern.MatchString(address) {
 		return nil, ErrInvalidAddress
 	}

@@ -116,7 +116,7 @@ func TestParseMessage(t *testing.T) {
 
 			require.Nil(t, err)
 			require.Equal(t, "example.com", parsed.Domain)
-			require.Equal(t, "0x196a28d05bA75C8dC35B0F6e71DD622D1aC82b7E", parsed.Address)
+			require.Equal(t, "0x196a28d05ba75c8dc35b0f6e71dd622d1ac82b7e", parsed.Address)
 
 			if i == 0 {
 				require.Equal(t, "Sign in to Example App", *parsed.Statement)

@@ -0,0 +1,17 @@
+-- Normalize Ethereum addresses in provider_id to lowercase to prevent case-sensitivity issues
+-- This migration must run BEFORE deploying the code change that lowercases addresses in parser.go
+-- Background: Ethereum addresses are case-insensitive, but EIP-55 uses mixed case for checksums.
+-- This migration ensures existing checksummed addresses are normalized to lowercase to match
+-- the new behavior where addresses are lowercased at parse time.
+--
+-- Note: identity_data is NOT updated because it's only metadata for display purposes.
+-- The provider_id field is the only field used for identity lookup and uniqueness.
+
+/* auth_migration: 20251202014000 */
+
+-- Update all web3:ethereum provider_id entries to use lowercase addresses
+-- Format: "web3:ethereum:0xABCDEF..." -> "web3:ethereum:0xabcdef..."
+update {{ index .Options "Namespace" }}.identities
+set provider_id = lower(provider_id)
+where provider = 'web3'
+  and provider_id LIKE 'web3:ethereum:0x%';