Merge pull request #188 from ericchiang/trim_emails

registration: trim spaces and sanity check user email from form

Merge pull request #188 from ericchiang/trim_emails
registration: trim spaces and sanity check user email from form
59a821ed · bobbyrullo · a1b7f9e7 · 8be93968 · 59a821ed · 59a821ed
Commit 59a821ed authored Dec 01, 2015 by bobbyrullo
Hide whitespace changes
Inline Side-by-side

Showing with 33 additions and 2 deletions

register.go server/register.go +2 -2

register_test.go server/register_test.go +31 -0

No files found.
--- a/server/register.go
+++ b/server/register.go
@@ -104,7 +104,7 @@ func handleRegisterFunc(s *Server) http.HandlerFunc {
 		trustedEmail := ses.Identity.Email != "" && idpc.TrustedEmailProvider()
 		validate := r.Form.Get("validate") == "1"
 		formErrors := []formError{}
-		email := r.Form.Get("email")
+		email := strings.TrimSpace(r.Form.Get("email"))

 		// only auto-populate the first time the page is GETted, not on
 		// subsequent POSTs
@@ -114,7 +114,7 @@ func handleRegisterFunc(s *Server) http.HandlerFunc {

 		password := r.Form.Get("password")
 		if validate {
-			if email == "" {
+			if email == "" || !user.ValidEmail(email) {
 				formErrors = append(formErrors, formError{"email", "Please supply a valid email"})
 			}
 			if local && password == "" {

--- a/server/register_test.go
+++ b/server/register_test.go
@@ -146,6 +146,37 @@ func TestHandleRegister(t *testing.T) {
 			wantStatus:      http.StatusSeeOther,
 			wantUserCreated: true,
 		},
+		{
+			// User comes in with spaces in their email, having submitted the
+			// form. The email is trimmed and the user is created.
+			query: url.Values{
+				"code":     []string{"code-2"},
+				"validate": []string{"1"},
+				"email":    str("\t\ntest@example.com "),
+				"password": str("password"),
+			},
+			connID:          "local",
+			wantStatus:      http.StatusSeeOther,
+			wantUserCreated: true,
+		},
+		{
+			// User comes in with an invalid email, having submitted the form.
+			// The email is rejected and the user is not created.
+			query: url.Values{
+				"code":     []string{"code-2"},
+				"validate": []string{"1"},
+				"email":    str("aninvalidemail"),
+				"password": str("password"),
+			},
+			connID:     "local",
+			wantStatus: http.StatusBadRequest,
+			wantFormValues: url.Values{
+				"code":     str("code-3"),
+				"email":    str("aninvalidemail"),
+				"password": str("password"),
+				"validate": str("1"),
+			},
+		},
 		{
 			// User comes in with a valid code, having submitted the form, but
 			// there's no password.