From 8be9396811c713393c9085dfadce381cfd816c95 Mon Sep 17 00:00:00 2001 From: Eric Chiang Date: Mon, 30 Nov 2015 18:50:55 -0500 Subject: [PATCH] registration: trim spaces and sanity check user email from form When a user attempts to register an email, trim prefixed and trailing spaces, then perform a basic sanity check to ensure it's of form "test@example.com". Fixes #163 --- server/register.go | 4 ++-- server/register_test.go | 31 +++++++++++++++++++++++++++++++ 2 files changed, 33 insertions(+), 2 deletions(-) diff --git a/server/register.go b/server/register.go index edb9fbdb..0413f7e1 100644 --- a/server/register.go +++ b/server/register.go @@ -104,7 +104,7 @@ func handleRegisterFunc(s *Server) http.HandlerFunc { trustedEmail := ses.Identity.Email != "" && idpc.TrustedEmailProvider() validate := r.Form.Get("validate") == "1" formErrors := []formError{} - email := r.Form.Get("email") + email := strings.TrimSpace(r.Form.Get("email")) // only auto-populate the first time the page is GETted, not on // subsequent POSTs @@ -114,7 +114,7 @@ func handleRegisterFunc(s *Server) http.HandlerFunc { password := r.Form.Get("password") if validate { - if email == "" { + if email == "" || !user.ValidEmail(email) { formErrors = append(formErrors, formError{"email", "Please supply a valid email"}) } if local && password == "" { diff --git a/server/register_test.go b/server/register_test.go index fe2e5756..a3970f88 100644 --- a/server/register_test.go +++ b/server/register_test.go @@ -146,6 +146,37 @@ func TestHandleRegister(t *testing.T) { wantStatus: http.StatusSeeOther, wantUserCreated: true, }, + { + // User comes in with spaces in their email, having submitted the + // form. The email is trimmed and the user is created. + query: url.Values{ + "code": []string{"code-2"}, + "validate": []string{"1"}, + "email": str("\t\ntest@example.com "), + "password": str("password"), + }, + connID: "local", + wantStatus: http.StatusSeeOther, + wantUserCreated: true, + }, + { + // User comes in with an invalid email, having submitted the form. + // The email is rejected and the user is not created. + query: url.Values{ + "code": []string{"code-2"}, + "validate": []string{"1"}, + "email": str("aninvalidemail"), + "password": str("password"), + }, + connID: "local", + wantStatus: http.StatusBadRequest, + wantFormValues: url.Values{ + "code": str("code-3"), + "email": str("aninvalidemail"), + "password": str("password"), + "validate": str("1"), + }, + }, { // User comes in with a valid code, having submitted the form, but // there's no password.