E-mail format is not verified when registering

[mitar]

Migrated from: meteor/meteor#8676

[mjmasn]

Slightly tongue in cheek but validating email addresses is hard.

Isn't it easier to fix/replace nodemailer to not send multiple emails unless you explicitly tell it to (i.e. by providing an actual array)? We use Amazon SES API and it rejects comma separated email address strings and other weirdness.

That said, I guess even a simple regex like ^[^@]+@[^@]+$ on the email address would fix this particular multiple-emails issue and probably wouldn't affect 99.99% of people even though it technically breaks the RFC (things like @ and , are technically allowed in the local part of the address if they are quoted).

[mitar]

I have used this regex and have not yet seen an address which it does not match correctly. I would be really curious if you can find one.

[mjmasn]

That regex is almost identical to the one at emailregex.com so I agree there's a low chance you'd have seen any issues.

It even works with a range of crazy but technically valid stuff like:

user+mailbox/department=shipping@example.com
!#$%&'*+-/=?^_`.{|}~@example.com
"Abc@def"@example.com
"Fred Bloggs"@example.com
"Joe.\\Blow"@example.com

(from: https://en.wikipedia.org/wiki/International_email)

I'm not sure what the situation is with unicode domains (for example I know a guy who owns 📠.ws - that's a fax machine emoji if you can't see it). Not sure if any RFC even covers this kind of stuff yet. I'm not saying it's sensible, and I think there is some debate currently about whether emoji should be allowed in domain names but there's still other unicode that will be allowed, e.g. Chinese characters), and so this may become a bigger issue over time.

My gut feeling would be go for the bare minimum to avoid the string being interpreted as multiple email addresses in nodemailer and let the email delivery be proof of validation.

Edit: And just to add we do occasionally have clients in China and the Middle East so this issue is bound to present itself sooner or later.

[StorytellerCZ]

As was noted in comments on https://emailregex.com/ the regex there doesn't take into accounts internationalized e-mails, aka things like this:

用户@例子.广告                (Chinese, Unicode)
अजय@डाटा.भारत                 (Hindi, Unicode)
квіточка@пошта.укр          (Ukrainian, Unicode)
χρήστης@παράδειγμα.ελ       (Greek, Unicode)
Dörte@Sörensen.example.com  (German, Unicode)
коля@пример.рф              (Russian, Unicode)

Did a quick adjustment to the following regex to make the above emails pass:

^(([^<>()\[\]\\.,;:\s@"]+(\.[^<>()\[\]\\.,;:\s@"]+)*)|(".+"))@((\[[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}])|(([\u00BF-\u1FFF\u2C00-\uD7FF\w\-0-9]+\.)+[\u00BF-\u1FFF\u2C00-\uD7FF\w]{2,}))$

Thoughts?