search

massif-press / compcon

Digital character creator and player sheets for the LANCER TTRPG
https://compcon.app
GNU General Public License v3.0
281 stars 98 forks source link

[BUG] Email Password Reset Regex validation error #2178

Open msprijatelj opened 1 year ago

msprijatelj commented 1 year ago

Describe the bug On mobile CompCon, some email addresses that seem otherwise valid encounter a Regex validation error when sending an email for Password Reset.

To Reproduce Steps to reproduce the behavior:

  1. On mobile, using Google Chrome browser, open CompCon in incognito mode.
  2. Click on Log In -> "Forgot Password?"
  3. Enter email address (optional: use "Autofill" for the address)
  4. Click "Send Password Reset E-Mail"
  5. Observe an error: "ERROR: Unable to send reset e-mail: 1 validation error detected: Value at 'username' failed to satisfy constraint: Member must satisfy regular expression pattern: [\p{L}\p{M}\p{S}\p{N}\p{P}]+"

Expected behavior Password reset works correctly for valid email addresses.

Screenshots Screenshot of error with most sensitive data redacted; trying to include just enough qualitative info to test verification. The redacted characters were all lowercase letters, no special characters (e.g. accented characters, symbols, etc). The first character in the email is a capital I. image

Smartphone (please complete the following information):

Additional Details I cannot reproduce this on iOS Firefox or Windows Desktop Firefox using the email address provided by the user who originally experienced this issue. They confirm that they encountered this error both after using autofill and after manually typing in their email address.

nhyldmar commented 1 year ago

Unable to replicate on Pixel 3, Android, Chrome, CompCon Version 2.3.13.

From a quick look, seems like this is a problem that exists outside of compcon since the error is passed back from aws-amplify/auth when called here:https://github.com/massif-press/compcon/blob/77df7e7b0105ae6490f67db155da82f198c55980/src/features/main_menu/_components/login/PasswordReset.vue#L85 Doesn't look like much is done to emails before passing them on other than making them lower case in the event that there is an error after the first attempt. This change is only if the original errors, so can't be the cause.

From a quick look, I can't see anything that could make it platform or browser dependent which makes it weird that it can't be replicated in iOS Firefox or Windows Desktop Firefox.

Also that's a very permissive regex so I assume no matter what special characters the email contains could cause it (and if it was very special characters it would have been flagged in the bug report).

The most likely input that would cause no matches would be a blank or whitespace input. I can't see anything on the compcon side that could pass in a blank string instead, but that's probably what to look for either in compcon or on aws-amplify/auth.