make sure to strip and lower email in input

2020-04-15 21:12:45 +02:00 · 2020-04-15 21:12:45 +02:00 · 3c9e6fc991
parent 5f784d683a
commit 3c9e6fc991
7 changed files with 16 additions and 16 deletions
--- a/app/api/views/auth.py
+++ b/app/api/views/auth.py
@ -45,7 +45,7 @@ def auth_login():
    if not data:
        return jsonify(error="request body cannot be empty"), 400

-    email = data.get("email")
+    email = data.get("email").strip().lower()
    password = data.get("password")
    device = data.get("device")

@ -75,7 +75,7 @@ def auth_register():
    if not data:
        return jsonify(error="request body cannot be empty"), 400

-    email = data.get("email")
+    email = data.get("email").strip().lower()
    password = data.get("password")

    if DISABLE_REGISTRATION:
@ -123,7 +123,7 @@ def auth_activate():
    if not data:
        return jsonify(error="request body cannot be empty"), 400

-    email = data.get("email")
+    email = data.get("email").strip().lower()
    code = data.get("code")

    user = User.get_by(email=email)
@ -171,7 +171,7 @@ def auth_reactivate():
    if not data:
        return jsonify(error="request body cannot be empty"), 400

-    email = data.get("email")
+    email = data.get("email").strip().lower()
    user = User.get_by(email=email)

    # do not use a different message to avoid exposing existing email
@ -225,7 +225,7 @@ def auth_facebook():

    graph = facebook.GraphAPI(access_token=facebook_token)
    user_info = graph.get_object("me", fields="email,name")
-    email = user_info.get("email")
+    email = user_info.get("email").strip().lower()

    user = User.get_by(email=email)

@ -277,7 +277,7 @@ def auth_google():
    build = googleapiclient.discovery.build("oauth2", "v2", credentials=cred)

    user_info = build.userinfo().get().execute()
-    email = user_info.get("email")
+    email = user_info.get("email").strip().lower()

    user = User.get_by(email=email)

@ -335,7 +335,7 @@ def forgot_password():
    if not data or not data.get("email"):
        return jsonify(error="request body must contain email"), 400

-    email = data.get("email").lower()
+    email = data.get("email").strip().lower()

    user = User.get_by(email=email)

--- a/app/auth/views/facebook.py
+++ b/app/auth/views/facebook.py
@ -86,7 +86,7 @@ def facebook_callback():
        "https://graph.facebook.com/me?fields=id,name,email,picture{url}"
    ).json()

-    email = facebook_user_data.get("email")
+    email = facebook_user_data.get("email").strip().lower()

    # user choose to not share email, cannot continue
    if not email:
@ -118,7 +118,7 @@ def facebook_callback():

        LOG.d("create facebook user with %s", facebook_user_data)
        user = User.create(
-            email=email.lower(),
+            email=email,
            name=facebook_user_data["name"],
            activated=True,
            referral=get_referral(),
--- a/app/auth/views/forgot_password.py
+++ b/app/auth/views/forgot_password.py
@ -16,7 +16,7 @@ def forgot_password():
    form = ForgotPasswordForm(request.form)

    if form.validate_on_submit():
-        email = form.email.data
+        email = form.email.data.strip().lower()

        user = User.get_by(email=email)

--- a/app/auth/views/github.py
+++ b/app/auth/views/github.py
@ -85,7 +85,7 @@ def github_callback():
        )
        return redirect(url_for("auth.login"))

-    email = email.lower()
+    email = email.strip().lower()
    user = User.get_by(email=email)

    # create user
@ -100,7 +100,7 @@ def github_callback():

        LOG.d("create github user")
        user = User.create(
-            email=email.lower(),
+            email=email,
            name=github_user_data.get("name") or "",
            activated=True,
            referral=get_referral(),
--- a/app/auth/views/google.py
+++ b/app/auth/views/google.py
@ -80,7 +80,7 @@ def google_callback():
        "https://www.googleapis.com/oauth2/v1/userinfo"
    ).json()

-    email = google_user_data["email"]
+    email = google_user_data["email"].strip().lower()
    user = User.get_by(email=email)

    picture_url = google_user_data.get("picture")
@ -103,7 +103,7 @@ def google_callback():

        LOG.d("create google user with %s", google_user_data)
        user = User.create(
-            email=email.lower(),
+            email=email,
            name=google_user_data["name"],
            activated=True,
            referral=get_referral(),
--- a/app/auth/views/login.py
+++ b/app/auth/views/login.py
@ -25,7 +25,7 @@ def login():
    show_resend_activation = False

    if form.validate_on_submit():
-        user = User.filter_by(email=form.email.data).first()
+        user = User.filter_by(email=form.email.data.strip().lower()).first()

        if not user:
            flash("Email or password incorrect", "error")
--- a/app/auth/views/register.py
+++ b/app/auth/views/register.py
@ -36,7 +36,7 @@ def register():
    next_url = request.args.get("next")

    if form.validate_on_submit():
-        email = form.email.data.lower()
+        email = form.email.data.strip().lower()
        if not can_be_used_as_personal_email(email):
            flash("You cannot use this email address as your personal inbox.", "error")
        else: