A new user stopped by early this morning. When validating the email address, they entered an incomplete one (e.g.: user-name@gmail).
The emailval.js script accepted this and logged the error:
8/29 03:27:06a Node 1 <user> !JavaScript C:\sbbs\mods\emailval.js line 130: Error: Unroutable QWKnet "to_net_addr" (gmail) in recipient object
This allowed the user to bypass the email validation process and proceed to the main menu. Granted, they didn't have their default access level adjusted either.
I assume the system must be treating user.netmail values without a "." to the right of the "@" symbol as QWKnet addresses?
In any case, I copied emailval.js script to /sbbs/mods, and added a check to the SendValidationEmail function to ensure that user.netmail values contain both a "@" and a ".":
if (user.netmail.indexOf(".") < 0 && user.netmail.indexOf("@") < 0) {
console.print("\r\n'" + user.netmail + "' is not a valid email address!");
console.pause();
return;
}
This should screen out incomplete values, and prevent unwanted validation bypass attempts.
In any case, I copied emailval.js script to /sbbs/mods, and added a check to the SendValidationEmail function to ensure that user.netmail values contain both a "@" and a ".":
if (user.netmail.indexOf(".") < 0 && user.netmail.indexOf("@") < 0) {
console.print("\r\n'" + user.netmail + "' is not a valid email address!");
console.pause();
return;
}
This should screen out incomplete values, and prevent unwanted validation bypass attempts.
I've had a similar problem with someone using @domain
put that in your .can
Re: emailval.js accepts incomplete email addresses
By: MRO to Keyop on Fri Aug 30 2024 07:13 am
put that in your .can
Vulgar as ever, I see.
if (user.netmail.indexOf(".") < 0 && user.netmail.indexOf("@") < 0) {
console.print("\r\n'" + user.netmail + "' is not a valid email address!");
console.pause();
return;
}
Why not put this into a gitlab issue so Digital Man can review or add it, or maybe you could do a pull request?
Even better, it might be nice to have a method for sbbs to check if an email is valid, since this could be used in other places.
maybe valid_netmail(address) checks for user@ whatever valid formats valid_email(address) - check for user@domain.tld
valid_local(address) - checks user number, alias, handle and full name
Why not put this into a gitlab issue so Digital Man can review or add it, or maybe you could do a pull request?
Even better, it might be nice to have a method for sbbs to check if an email is valid, since this could be used in other places.
maybe valid_netmail(address) checks for user@ whatever valid formats valid_email(address) - check for user@domain.tld
valid_local(address) - checks user number, alias, handle and full name
if (user.netmail.indexOf(".") < 0 && user.netmail.indexOf("@") < 0) {
Even better, it might be nice to have a method for sbbs to check if an email is valid, since this could be used in other places.
maybe valid_netmail(address) checks for user@ whatever valid formats valid_email(address) - check for user@domain.tld
valid_local(address) - checks user number, alias, handle and full name
Re: emailval.js accepts incomplete email addresses
By: Codefenix to All on Thu Aug 29 2024 08:30:51
if (user.netmail.indexOf(".") < 0 && user.netmail.indexOf("@") < 0) {
If you *really* want to check if an email address is valid, then there's a whole rabbit hole of standards and regex fun you can go down.
I have to wonder why/if this is even necessary in the context of email validation. If the email address is fucked, then the user will not get validated. If they want to gain access, they'll need to supply a working address. Sort of a self-solving problem right?
if (user.netmail.indexOf(".") < 0 && user.netmail.indexOf("@") < 0) {
If you *really* want to check if an email address is valid, then there's a whole rabbit hole of standards and regex fun you can go down.
I have to wonder why/if this is even necessary in the context of email validation. If the email address is fucked, then the user will not get validated. If they want to gain access, they'll need to supply a working address. Sort of a self-solving problem right?
If you *really* want to check if an email address is valid, then there's a whole rabbit hole of standards and regex fun you can go down.
I have to wonder why/if this is even necessary in the context of email validation. If the email address is fucked, then the user will not get validated. If they want to gain access, they'll need to supply a working address. Sort of a self-solving problem right?
I think it'd be more user-friendly if the script only supports Internet mail (which in this case, I think it's expected) and it rejected (with a friendly message) any invalid Internet mail addresses, just in case the user wasn't intentionally trying to fool the script, but rather just typoed or assumed a FidoNet or QWKnet address could be used (maybe they can?). I don't know, I didn't actually write the script in question.
I think it'd be more user-friendly if the script only supports Internet mail (which in this case, I think it's expected) and it rejected (with a friendly message) any invalid Internet mail addresses, just in case the
typoed or assumed a FidoNet or QWKnet address could be used (maybe they can?). I don't know, I didn't actually write the script in question.
I imagine it could probably tell the user the email address they entered is invalid and give the user another chance to re-enter their email address.
It's easy enough to get a throwaway internet email address (eg. by signing up on another Synchronet > board) so demanding this net type isn't really the gatekeeping measure it seems. This is why I ask > a scan of government-issued photo ID, and a picture of the user holding said ID up next to their fa > and have them fax in a signed contract before I allow them to use my B.B.S.
If you *really* want to check if an email address is valid, then there's a whole rabbit hole of standards and regex fun you can go down.
I have to wonder why/if this is even necessary in the context of email validation. If the email address is fucked, then the user will not get validated. If they want to gain access, they'll need to supply a working address. Sort of a self-solving problem right?
someone entered an incomplete one on my system (user@gmail), and it broke the script because the script (incorrectly) treated the entry as though it were a QWKmail address. This let the user skip validation and proceed to main, when it should have screened them out instead.
Re: emailval.js accepts incomplete email addresses
By: echicken to Codefenix on Sat Aug 31 2024 09:05 pm
If you *really* want to check if an email address is valid, then there's a whole rabbit hole of standards and regex fun you can go down. I have to wonder why/if this is even necessary in the context of email validation. If the email address is fucked, then the user will not get validated. If they want to gain access, they'll need to supply a working address. Sort of a self-solving problem right?
No, not quite. I must not have made it very clear in my initial post. The reason why I would want to "pre-validate" an email address is because someone entered an incomplete one on my system (user@gmail), and it broke the script because the script (incorrectly) treated the entry as though it were a QWKmail address. This let the user skip validation and proceed to main, when it should have screened them out instead.
I don't think that's how that script works though. It doesn't "screen people out" (that provide an invalid email address).
The user is meant to validate or hit the bricks.
There is no 5th option to proceed unvaliated, otherwise I could agree with you about the script's intent.
Re: emailval.js accepts incomplete email addresses
By: Digital Man to Codefenix on Wed Sep 04 2024 10:05 pm
I don't think that's how that script works though. It doesn't "screen people out" (that provide an invalid email address).
The list of available options in the script's menu imply exactly that.
[S] Send validation code to <email address>
[V] Validate your account
[E] Edit/Update email address
[H] Hangup
If the sysop has the emailval module enabled, it gets called during logon. The user is meant to validate or hit the bricks.
There is no 5th option to proceed unvaliated, otherwise I could agree with you about the script's intent.
with you about the script's intent.
Yeah, I'm not familiar with (don't run) that script. I'll take a closer look at it.
it probably would be better to send a user a generated password and disconnect them.
Re: emailval.js accepts incomplete email addresses
By: MRO to Digital Man on Thu Sep 05 2024 09:19 pm
it probably would be better to send a user a generated password and disconnect them.
I mean, that's effectively the same thing as what the emailval module currently is doing now, except your approach forces the user to drop and re-connect. emailval keeps the the user on, which I think is preferable.
Sysop: | Gary Ailes |
---|---|
Location: | Pittsburgh, PA |
Users: | 132 |
Nodes: | 5 (0 / 5) |
Uptime: | 108:53:46 |
Calls: | 733 |
Files: | 2,171 |
Messages: | 81,483 |