Require valid emails for registration

hypothesis / h

Annotate with anyone, anywhere.

https://hypothes.is/

BSD 2-Clause "Simplified" License

2.96k stars 427 forks source link

Require valid emails for registration #7231

Open xolotl opened 2 years ago

xolotl commented 2 years ago

Steps to reproduce

Register for Hypothesis using an incomplete email format (eg, missing a TLD at the end).
Registration succeeds, even tho email is invalid.

Expected behaviour

Emails supplied at registration should meet basic format requirements.

Actual behaviour

Registration succeeds with invalid emails.

Additional details

This was discovered by seeing apparently successful user registrations with emails like the following (anonymized):

***@uio
mail@***schroeder
***18295@hot
***0220@gmail
***vid519@dot
***uan@com
.@usherbrooke
***20007@aegean

robertknight commented 2 years ago

The above are all technically syntactically valid email addresses (see also, email input HTML spec). Given that an email address is not useful unless we can send an email to it, perhaps it would make sense to check that we can at least find a mail server associated with the email address's domain (via a DNS MX record lookup). This is something I think we should be able to look up efficiently.

xolotl commented 2 years ago

Thanks, TIL that emails that don't seem correct from a quick look and are more likely typos or user error and aren't deliverable are syntactically valid.

I think @robertknight's proposal of validation is a good one. I actually discovered these email addresses performing basic email validation on users who had opted in to email messaging using an external service. That service validated 10K+ emails in a couple of minutes, so validating one email may be fast enough to be a part of the registration process.