Accounts-password accepts wrong mailaddresses


I’m using accounts-password for my signup/login form. This works fine - for one thing.
My app is currently at 100 users, and growing… but allready two people (!) have managed to enter a wrong mailaddress: name@domain,com - notice the comma, please :slight_smile: (yeah, I know, users… :wink: )
Apparently, and I have tested that, the regex for the mailaddress does not work correctly. I cannot for this app configure it to use the vailidtion-email, but I would of course want this basic errors to be checked against. I have been searching the code for the validation of the mail, but so far I have no luck. Does anybody know where this is validated?



Here you can add a custom validation:

So there you can fix it yourself if you want to prevent this.

But be careful: Top level domains can be entered in multiple ways: Just as ASCII characters but also:

Users can enter those and they are valid. Behind the scenes they are converted to ASCII to be supported globally but the users sees them in this way. So don’t just filter out all characters you don’t know. Maybe best in this case could be to just replace ,com only at the end of the string with .com to have least possible issues since ,com is never likely to be supported in a top level domain.

Hi Luc,

thank you for your answer! Turns out, checking mailadresses is indeed very hard. I guess we will have to deal with users entering them wrong. In our setup, we are not able to first send them the confirmation-mail for them to create an account - that would take too much time…

(We are working on signing up with Oauth, but getting that to work on both www. and non www turns out to be trickey too :frowning: )

Anyway, checking this with regex is near impossible to get right… at least now I know!



Yes it is! A very complex matter! What you could do is simply validate the e-mail on the client, before sending, and if you detect ,com show a warning. That will also prevent the behavior without restricting your users.

About oAuth, yes move to one domain only, redirect if the other one gets visited.