Hey there, currently it is possible to sign up via...
# ory-networka
ancient-translator-52526
09/14/2023, 9:02 AMHey there, currently it is possible to sign up via kratos SDK and Web API with an email only containing of name, “@” and a tld (just like “test@test”). However, this is no valid email according to RFC. Is anybody aware of that and will this be changed in the near future?
r
refined-kangaroo-48640
09/14/2023, 9:12 AMHey Max.
It is, in general, impossible to validate an email address by any other method than sending an email to it.
refined-kangaroo-48640
09/14/2023, 9:13 AMEspecially regexes are not workable.
refined-kangaroo-48640
09/14/2023, 9:14 AMWe do what we believe is the most strict validation possible, without rejecting valid email addresses. That’s essentially if the address contains an
@refined-kangaroo-48640
09/14/2023, 9:15 AMIn particular you example
test@testa
ancient-translator-52526
09/14/2023, 9:22 AMcan you point to the rfc document stating that email addresses can be with a tld only? i thought i read that rfc has revised it back in the time…
r
refined-kangaroo-48640
09/14/2023, 9:22 AMAlso checkout this issue
https://github.com/ory/kratos/issues/3154
refined-kangaroo-48640
09/14/2023, 9:23 AMAnd wikipedia (I’m sure it links to the relevant RFCs)
https://en.wikipedia.org/wiki/Email_address#Valid_email_addresses
refined-kangaroo-48640
09/14/2023, 9:24 AMBut really the most important part is: what is the email regex supposed to defend against? Users signing up with invalid email addresses?
That’s easy:
${uuid.v4()}@gmail.coma
ancient-translator-52526
09/14/2023, 9:24 AMthanks, will check it out.
ancient-translator-52526
09/14/2023, 9:25 AMbasically, prevent typos (missing dot) e.g. test@gmailcom instead of gmail.com
ancient-translator-52526
09/14/2023, 9:26 AMbut agree, security wise spammers could likely use any other email and flood the db with never-verified addresses. we’ll delete non-verified email addresses anyway after 30 days
ancient-translator-52526
09/14/2023, 9:26 AMwill wrinkle my brain around again. thanks for you replies
s
steep-lamp-91158
09/14/2023, 11:25 AM
you can add regex validation to the identity schema to prevent typos, e.g.
@.+\..+m
magnificent-energy-493
09/14/2023, 11:54 AM
Hello @ancient-translator-52526
I hope this helped!
I invited you to the production support channel #C05PHQCFL1F
Please use this channel going forward to get support for your Ory Network project.
Please also let me know if there is someone from your team not invited!
l
limited-photographer-61008
09/14/2023, 1:22 PMI’ve brought this up before. I think it would be a good idea to highlight it in the docs so you can take it into account when you are designing your identity schema
https://ory-community.slack.com/archives/C02MR4DEEGH/p1686921499519849?thread_ts=1686921191.072869&cid=C02MR4DEEGH
16 Views