search

bpred754 / augeo

Web application written with the MEAN stack that uses Natural Language Processing to classify a user's internet activity into different skills. In a nutshell, Augeo is the gamification of life.
GNU General Public License v3.0
10 stars 6 forks source link

Signup & login issues for emails with +{EXTRA} appended #41

Closed jibarra closed 7 years ago

jibarra commented 7 years ago

Gmail (and potentially other email providers) allows emails to users to be of the form email+{EXTRA}@gmail.com, where {EXTRA} can be any text.

The frontend for the signup form allows the + special character and looks like it attempts to submit the email to the backend. The signup form allows the user to submit with this email format, however the server responds with a 400 error (Bad Request) and the user receives the message "Incorrect email address or password."

The server also sends out an email confirming the signup to the correct address (email+{EXTRA}@gmail.com). However, when trying to login the server responds with a 400 error (Bad Request) and the user receives the message "Incorrect email address or password."

This error occurred in Safari 10.0.1 and was replicated in Chrome 54.0.2840.98 on MacOS Sierra.

Steps to reproduce:

  1. Fill out signup form on homepage. Ensure the email is of the form email+{EXTRA}@gmail.com
  2. Submit the form. An error displays and the server responds with a 400 error.
  3. The user should receive an email stating that they signed up for Augeo.
  4. Attempt to sign in through the login form on the homepage.
  5. An error displays and the server responds with a 400 error.

I looked through the network request in the Chrome and the payload contains the email in the proper form (email+{EXTRA}@gmail.com) so it looks like the problem may be in the backend.

screen shot 2016-12-13 at 6 17 37 pm

screen shot 2016-12-13 at 6 24 39 pm

bpred754 commented 7 years ago

@jibarra thanks for the detailed information! After taking a look at the logs it looks like it's getting stuck on the getPasswordWithEmail() function call during the login process:

Dec 13 17:20:06 INFO augeo_user-collection | getPasswordWithEmail | user-api/login | email:icepickpenguin+augeo@gmail.com,  |  
Dec 13 17:20:06 WARN user-api | /login | Incorrect email address or password |

And after a deeper dive.. it seems like the $regex option for the MongoDB query is causing the issue. This was implemented in order to ignore the case of the email from the user.

src/model/schema/augeo/user.js - line 257

this.findOne({email:{'$regex': email, $options: 'i'}}, {password:1}, function(error, data) {

Possible solution: Remove the $regex option and ensure that emails are in all lower case when inserting into the DB. Also need to ingorecase when retrieving data with email as a parameter.

jibarra commented 7 years ago

@bpred754 Instead of removing the regex, maybe the validation can be done before adding it to the database? The validator library could be used to check if an email is valid before inserting it: https://github.com/chriso/validator.js

After validation, the email could be inserted lower case and retrieved with ignore case, as needed.

bpred754 commented 7 years ago

@jibarra emails are already validated on the server with the AugeoValidator object, which has similar functions to the library you mentioned above. I don't think the issue was with validation, rather a misread when trying to extract information from the database. Since I was using regex, and the input had a special character '+' that was not escaped, it was not able to find the database entry.

Instead of removing the regex, I created a function that would build regex strings with special characters escaped. Can you give it a shot when you have a chance? I cleared the database so you can use your desired username again. Thanks!

jibarra commented 7 years ago

The issue looks like it's fixed. I can signup and login properly with +{EXTRA} appended to my email.