registration: trim spaces and sanity check user email from form

When a user attempts to register an email, trim prefixed and trailing spaces, then perform a basic sanity check to ensure it's of form "test@example.com". Fixes #163
2015-11-30 18:50:55 -05:00 · 2015-11-30 18:50:55 -05:00 · 8be9396811
commit 8be9396811
parent a9ab63893d
2 changed files with 33 additions and 2 deletions
--- a/server/register.go
+++ b/server/register.go
@ -104,7 +104,7 @@ func handleRegisterFunc(s *Server) http.HandlerFunc {
 		trustedEmail := ses.Identity.Email != "" && idpc.TrustedEmailProvider()
 		validate := r.Form.Get("validate") == "1"
 		formErrors := []formError{}
-		email := r.Form.Get("email")
+		email := strings.TrimSpace(r.Form.Get("email"))

 		// only auto-populate the first time the page is GETted, not on
 		// subsequent POSTs
@ -114,7 +114,7 @@ func handleRegisterFunc(s *Server) http.HandlerFunc {

 		password := r.Form.Get("password")
 		if validate {
-			if email == "" {
+			if email == "" || !user.ValidEmail(email) {
 				formErrors = append(formErrors, formError{"email", "Please supply a valid email"})
 			}
 			if local && password == "" {
--- a/server/register_test.go
+++ b/server/register_test.go
@ -146,6 +146,37 @@ func TestHandleRegister(t *testing.T) {
 			wantStatus:      http.StatusSeeOther,
 			wantUserCreated: true,
 		},
+		{
+			// User comes in with spaces in their email, having submitted the
+			// form. The email is trimmed and the user is created.
+			query: url.Values{
+				"code":     []string{"code-2"},
+				"validate": []string{"1"},
+				"email":    str("\t\ntest@example.com "),
+				"password": str("password"),
+			},
+			connID:          "local",
+			wantStatus:      http.StatusSeeOther,
+			wantUserCreated: true,
+		},
+		{
+			// User comes in with an invalid email, having submitted the form.
+			// The email is rejected and the user is not created.
+			query: url.Values{
+				"code":     []string{"code-2"},
+				"validate": []string{"1"},
+				"email":    str("aninvalidemail"),
+				"password": str("password"),
+			},
+			connID:     "local",
+			wantStatus: http.StatusBadRequest,
+			wantFormValues: url.Values{
+				"code":     str("code-3"),
+				"email":    str("aninvalidemail"),
+				"password": str("password"),
+				"validate": str("1"),
+			},
+		},
 		{
 			// User comes in with a valid code, having submitted the form, but
 			// there's no password.