singlelink-co / Singlelink

The open-source Linktree alternative.
https://singlelink.co
GNU General Public License v3.0
555 stars 117 forks source link

Plus addressing breaks e-mail address verification #262

Open RokeJulianLockhart opened 1 year ago

RokeJulianLockhart commented 1 year ago

I attempted to register using rwx1m7+RWX1MZ@rokejulianlockhart.anonaddy.com. When I received the code, clicking the verify button didn't work. I was about to consider this a problem with my browser, but when I tried to click the e-mailed link instead, the consequent page (https://app.singlelink.co/verify?email=rwx1m7+RWX1MZ@rokejulianlockhart.anonaddy.com&code=145330&newSignup=true) appeared to depict my address incorrect sanitized in some manner:

image

RokeJulianLockhart commented 1 year ago

Indeed, plus addressing is the problem - rwx1m7@rokejulianlockhart.anonaddy.com works. Remember when implementing e-mail dependent registration that you read the entirety of the relevant RFCs or use a well-tested library.

saraspaudel commented 1 year ago

I believe this was initially implemented to prevent bot signups.

RokeJulianLockhart commented 1 year ago

I think that that's an ineffective solution since I quite easily bypassed it using AnonAddy, but you could at least notify the user and not send the e-mail message until the sub address is removed.

ciroiriarte commented 1 year ago

I would also normally use plus addressing. Please consider adding support for it.

RokeJulianLockhart commented 1 year ago

@ciroiriarte, have you tried https://anonaddy.com in the meantime? I use a different (also plus addressed) e-mail address for each service, and it works better than mere plus addressing does, especially for situations such as this.