Double check of potential problems in backend

[rclarey]

These include:

• inadequate error handling anywhere
• SQL injection vulnerabilities
• persistent XSS vulnerabilities
• or anything else deemed bad

[danenespoli]

Oh also double check that the "@edu.uwaterloo" part of the email address isn't being appended client-side (or at least that it's validated on the backend somewhere)

I feel like I saw code at some point that appended the uwaterloo part before making the API call to create a user and just wanted to make sure users can't sign up with arbitrary email addresses if they bypass this

[rclarey]

@danenespoli yeah we append it client-side, but we do validate it on the backend.

Now that you've pointed it out I agree that we should just send the WatIAM ID