Email Validation func is Improper

[mohammed90]

[REQUIRED] Step 2: Describe your environment

• Operating System version: Mac OS
• Firebase SDK version: v3.12.0
• Library version: v3.12.0 (? not sure which library do you mean here)
• Firebase Product: auth (auth, database, storage, etc)

[REQUIRED] Step 3: Describe the problem

Steps to reproduce:

The email validation func checks if the split over @ results in 2 parts:

firebase-admin-go/auth/user_mgt.go

Lines 461 to 463 in 32728b0

	if parts := strings.Split(email, "@"); len(parts) != 2 || parts[0] == "" || parts[1] == "" {
	return fmt.Errorf("malformed email string: %q", email)
	}

But this risks rejecting valid email address. These are all valid email addresses:

• Abc\@def@example.com
• "Abc@def"@example.com
• "<"@\".!.#%$@example.com

which the library will reject. The recommendation per Stavros Korokithakis is to check if there's an @ symbol and try to send an email to it. If they click the validation link, then it's a real address. So replace the prior snippet with:

Relevant Code:

Current code:

firebase-admin-go/auth/user_mgt.go

Lines 461 to 463 in 32728b0

	if parts := strings.Split(email, "@"); len(parts) != 2 || parts[0] == "" || parts[1] == "" {
	return fmt.Errorf("malformed email string: %q", email)
	}

Suggested replacement:

if !strings.Contains(email, "@") {
	return fmt.Errorf("malformed email string: %q", email)
}

References:

• I Knew How To Validate An Email Address Until I Read The RFC
• So you think you can validate email addresses

[google-oss-bot]

This issue does not seem to follow the issue template. Make sure you provide all the required information.

[hiranya911]

This is based off the same validation logic we use in our Node SDK.

export function isEmail(email: any): boolean {
  if (typeof email !== 'string') {
    return false;
  }
  // There must at least one character before the @ symbol and another after.
  const re = /^[^@]+@[^@]+$/;
  return re.test(email);
}

Yes, it is certainly not RFC compliant. But the kind of edge cases you've listed are also very rare in practice. Many of the widely used email providers simply won't allow such addresses. That's probably why these implementations have been able to get by for years without anybody pointing it out :)

Having said that, if there's a straightforward fix to the above code, we'd gladly accept it. From what I can see only those email addresses with extra @ signs in the username are the problematic cases.

[hiranya911]

Found a fairly robust and exhaustive regex for email validation at https://html.spec.whatwg.org/multipage/input.html#valid-e-mail-address

We might want to update our email validation to use something like that.

[mohammed90]

Found a fairly robust and exhaustive regex for email validation at https://html.spec.whatwg.org/multipage/input.html#valid-e-mail-address

We might want to update our email validation to use something like that.

Please check the note in the same link:

This requirement is a willful violation of RFC 5322, which defines a syntax for email addresses

RFC 5322 is the standard spec for email:
https://datatracker.ietf.org/doc/html/rfc5322