From 3c9e6fc991a5f688d07e5542655f7c830562ad3a Mon Sep 17 00:00:00 2001 From: Son NK <> Date: Wed, 15 Apr 2020 21:12:45 +0200 Subject: [PATCH] make sure to strip and lower email in input --- app/api/views/auth.py | 14 +++++++------- app/auth/views/facebook.py | 4 ++-- app/auth/views/forgot_password.py | 2 +- app/auth/views/github.py | 4 ++-- app/auth/views/google.py | 4 ++-- app/auth/views/login.py | 2 +- app/auth/views/register.py | 2 +- 7 files changed, 16 insertions(+), 16 deletions(-) diff --git a/app/api/views/auth.py b/app/api/views/auth.py index adbc29ea..09e2c620 100644 --- a/app/api/views/auth.py +++ b/app/api/views/auth.py @@ -45,7 +45,7 @@ def auth_login(): if not data: return jsonify(error="request body cannot be empty"), 400 - email = data.get("email") + email = data.get("email").strip().lower() password = data.get("password") device = data.get("device") @@ -75,7 +75,7 @@ def auth_register(): if not data: return jsonify(error="request body cannot be empty"), 400 - email = data.get("email") + email = data.get("email").strip().lower() password = data.get("password") if DISABLE_REGISTRATION: @@ -123,7 +123,7 @@ def auth_activate(): if not data: return jsonify(error="request body cannot be empty"), 400 - email = data.get("email") + email = data.get("email").strip().lower() code = data.get("code") user = User.get_by(email=email) @@ -171,7 +171,7 @@ def auth_reactivate(): if not data: return jsonify(error="request body cannot be empty"), 400 - email = data.get("email") + email = data.get("email").strip().lower() user = User.get_by(email=email) # do not use a different message to avoid exposing existing email @@ -225,7 +225,7 @@ def auth_facebook(): graph = facebook.GraphAPI(access_token=facebook_token) user_info = graph.get_object("me", fields="email,name") - email = user_info.get("email") + email = user_info.get("email").strip().lower() user = User.get_by(email=email) @@ -277,7 +277,7 @@ def auth_google(): build = googleapiclient.discovery.build("oauth2", "v2", credentials=cred) user_info = build.userinfo().get().execute() - email = user_info.get("email") + email = user_info.get("email").strip().lower() user = User.get_by(email=email) @@ -335,7 +335,7 @@ def forgot_password(): if not data or not data.get("email"): return jsonify(error="request body must contain email"), 400 - email = data.get("email").lower() + email = data.get("email").strip().lower() user = User.get_by(email=email) diff --git a/app/auth/views/facebook.py b/app/auth/views/facebook.py index cc15afe2..2bc43b5f 100644 --- a/app/auth/views/facebook.py +++ b/app/auth/views/facebook.py @@ -86,7 +86,7 @@ def facebook_callback(): "https://graph.facebook.com/me?fields=id,name,email,picture{url}" ).json() - email = facebook_user_data.get("email") + email = facebook_user_data.get("email").strip().lower() # user choose to not share email, cannot continue if not email: @@ -118,7 +118,7 @@ def facebook_callback(): LOG.d("create facebook user with %s", facebook_user_data) user = User.create( - email=email.lower(), + email=email, name=facebook_user_data["name"], activated=True, referral=get_referral(), diff --git a/app/auth/views/forgot_password.py b/app/auth/views/forgot_password.py index 254beee4..604657d5 100644 --- a/app/auth/views/forgot_password.py +++ b/app/auth/views/forgot_password.py @@ -16,7 +16,7 @@ def forgot_password(): form = ForgotPasswordForm(request.form) if form.validate_on_submit(): - email = form.email.data + email = form.email.data.strip().lower() user = User.get_by(email=email) diff --git a/app/auth/views/github.py b/app/auth/views/github.py index 83a5af6e..d9b467a2 100644 --- a/app/auth/views/github.py +++ b/app/auth/views/github.py @@ -85,7 +85,7 @@ def github_callback(): ) return redirect(url_for("auth.login")) - email = email.lower() + email = email.strip().lower() user = User.get_by(email=email) # create user @@ -100,7 +100,7 @@ def github_callback(): LOG.d("create github user") user = User.create( - email=email.lower(), + email=email, name=github_user_data.get("name") or "", activated=True, referral=get_referral(), diff --git a/app/auth/views/google.py b/app/auth/views/google.py index 495ec937..2dc99703 100644 --- a/app/auth/views/google.py +++ b/app/auth/views/google.py @@ -80,7 +80,7 @@ def google_callback(): "https://www.googleapis.com/oauth2/v1/userinfo" ).json() - email = google_user_data["email"] + email = google_user_data["email"].strip().lower() user = User.get_by(email=email) picture_url = google_user_data.get("picture") @@ -103,7 +103,7 @@ def google_callback(): LOG.d("create google user with %s", google_user_data) user = User.create( - email=email.lower(), + email=email, name=google_user_data["name"], activated=True, referral=get_referral(), diff --git a/app/auth/views/login.py b/app/auth/views/login.py index 4c828d6e..eb6b9bd3 100644 --- a/app/auth/views/login.py +++ b/app/auth/views/login.py @@ -25,7 +25,7 @@ def login(): show_resend_activation = False if form.validate_on_submit(): - user = User.filter_by(email=form.email.data).first() + user = User.filter_by(email=form.email.data.strip().lower()).first() if not user: flash("Email or password incorrect", "error") diff --git a/app/auth/views/register.py b/app/auth/views/register.py index ca692715..fd9acfe0 100644 --- a/app/auth/views/register.py +++ b/app/auth/views/register.py @@ -36,7 +36,7 @@ def register(): next_url = request.args.get("next") if form.validate_on_submit(): - email = form.email.data.lower() + email = form.email.data.strip().lower() if not can_be_used_as_personal_email(email): flash("You cannot use this email address as your personal inbox.", "error") else: