Email regex in backend stricter than in frontend

fastsurvey / backend

FastSurvey's backend that's crunching the data

1 stars 0 forks source link

Email regex in backend stricter than in frontend #67

Closed dostuffthatmatters closed 3 years ago

dostuffthatmatters commented 3 years ago

I am trying to submit and email field response.

My field config looks like this:

{
  "title":"smthn",
  "description":"",
  "type":"email",
  "hint":"Any email address",
  "regex":".*",
  "verify": false
}

Therefore I should in theory respond with anything string I want. When submitting an empty string, the backend responds with:

{"detail":[{"loc":["2"],"msg":"string does not match regex \"(?=^.+@.+$)(?=.*)\"","type":"value_error.str.regex","ctx":{"pattern":"(?=^.+@.+$)(?=.*)"}}]}

@empicano Is that regex fix - so should I use it for validation as well? Because with a hidden regex validation of emails in the backend, the frontend has to know about this - otherwise respondents will just see a "server error" message.

empicano commented 3 years ago

This complicated (?=^.+@.+$)(?=.*) regex you see there essentially checks if the submitted email address satisfies the user-provided regex as well as the (very loose) base regex ^.+@.+$ (the same as used for registration email addresses). Anything that doesn't at least satisfy this base regex is not a valid email address.

I think this is a good rule. In any case the real email validation is different than the provided regex, as we also define a max length. What do you think? 😎

dostuffthatmatters commented 3 years ago

Where do you have this regex from? :D For me it says that a@@@b is a valid email. Is that correct?

I will just show a specific error message if backend-response-code is 422 and detail contains "regex" somewhere.

empicano commented 3 years ago

The ^.+@.+$ regex essentially checks that there is an @ somewhere in the string, so yes a@@@b is valid according to this regex. Practically, the only way to be sure that an email is valid is to send an email with some secret to it, but I admit, that's very liberal 😄

The regex (?=^.+@.+$)(?=PATTERN) means ^.+@.+$ AND PATTERN. The (?=PATTERN) part is called lookahead.

I will just show a specific error message if backend-response-code is 422 and detail contains "regex" somewhere.

Sounds good, everything not matching (?=^.+@.+$)(?=PATTERN) will trigger that. Something like a@@@b won't, but that's ok. It will regularly count as an unverified submission for surveys with email address verification, but will obviously never be verified.

dostuffthatmatters commented 3 years ago

I now show an error message for every submission that gets rejected because of an invalid email: https://github.com/fastsurvey/frontend/blob/b126ed384fba9247a2b43edae2e872f48f57182a/src/utilities/backend/post-submission.ts#L29

As long as you keep the word regex in the email error message the frontend can deal with any regex you like and we do not have to keep any regex in two codebases the same.