fix: tighten email validation rules #2304
Merged
+128
−9
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Pull Request Test Coverage Report for Build 20462025333Warning: This coverage report may be inaccurate.This pull request's base commit is no longer the HEAD commit of its target branch. This means it includes changes from outside the original pull request, including, potentially, unrelated coverage changes.
Details
💛 - Coveralls |
implementations can affect the determinism of our DNS checks, without allowing transient DNS failures to block signups: * Reject single label email domains (`a@a`, `a@gmail`) * Use absolute FQDN for DNS lookups to avoid implicit search behavior * Preserves the RFC 5321 fallback, but narrows when it is called * Add an allow list for major email providers to lower latency * Reject mutated display name address that the mail parser might accept * Add test coverage for some corner cases
cstockton
force-pushed
the
cs/update-email-validation
branch
from
13bec55 to
d32397f
Compare
hf
approved these changes
Dec 23, 2025
cstockton
added a commit
that referenced
this pull request
Dec 23, 2025
Note: this PR depends on #2304 ## Update to Go v1.25.5 As part of this upgrade several changes were needed to resolve go vet failures around non-constant format strings: - Updating all apierrors constructors to use const fmt strings with args - Removing fmt.Sprintf usages that violate go vet fmt checks - Refactoring internal error/message helpers to accept fmt + params In addition stricter checks in the standard library for x509 certificate creation required a change to a SAML test in internal/conf. Now I start with a valid certificate and then set the serial number to an invalid value. To do this I opted for a small refactor to PopulateFields to return the cert object instead of copying the code within the test. ## Why update? Aside from security related reasons and general best practices here are some highlights im looking forward to! * The [flight recorder](https://go.dev/blog/flight-recorder) could be great for debugging performance bottlenecks. I personally am super excited for this feature, I hope the new streamable tracing API will enable a new class of interesting visual tools in the future. * The [synctest](https://pkg.go.dev/testing/synctest) package means no more DI for `now func() time.Time` :D * Addition of [t.Context()](https://pkg.go.dev/testing#T.Context) and [t.Cleanup(func())](https://pkg.go.dev/testing#T.Cleanup) will make lower friction as we sever ties with our testing framework. There are other neat API's like `T.Attr` and `T.Output`. * The new [json/v2](https://pkg.go.dev/encoding/json/[email protected]) package offers more efficient memory usage and faster API's. When I've ran profiling in the past JSON is a significant portion of our CPU time so we should see some nice gains for this. * The new [jsontext](https://pkg.go.dev/encoding/json/[email protected]#example-package-StringReplace) may come in handy for implementing JWT templates depending on how we want to design it. * And much more! --------- Co-authored-by: Chris Stockton <[email protected]>
cemalkilic
pushed a commit
that referenced
this pull request
Jan 12, 2026
Resets the main branch (`master`) to have the same changeset as 2.184.0 but under 2.185.0. Original release please notes: ### Features * Add Sb-Forwarded-For header and IP-based rate limiting ([#2295](#2295)) ([e8f679b](e8f679b)) * allow amr claim to be array of strings or objects ([#2274](#2274)) ([607da43](607da43)) * Treat rate limit header value as comma-separated list ([#2282](#2282)) ([5f2e279](5f2e279)) ### Bug Fixes * check each type independently ([#2290](#2290)) ([d9de0af](d9de0af)) * fix the wrong error return value ([#1950](#1950)) ([e2dfb5d](e2dfb5d)) * **indexworker:** remove pg_trgm extension ([#2301](#2301)) ([c553b10](c553b10)) * **oauth-server:** allow custom URI schemes in client redirect URIs ([#2298](#2298)) ([ea72f57](ea72f57)) * tighten email validation rules ([#2304](#2304)) ([33bb372](33bb372)) --------- Co-authored-by: depthfirst-app[bot] <184448029+depthfirst-app[bot]@users.noreply.github.com>
cemalkilic
pushed a commit
that referenced
this pull request
Jan 12, 2026
🤖 I have created a release *beep* *boop* --- ## [2.185.0](v2.184.0...v2.185.0) (2026-01-12) ### Features * Add Sb-Forwarded-For header and IP-based rate limiting ([#2295](#2295)) ([e8f679b](e8f679b)) * allow amr claim to be array of strings or objects ([#2274](#2274)) ([607da43](607da43)) * reset main branch to 2.185.0 ([#2325](#2325)) ([b9d0500](b9d0500)) * Treat rate limit header value as comma-separated list ([#2282](#2282)) ([5f2e279](5f2e279)) ### Bug Fixes * additional provider and issuer checks ([#2326](#2326)) ([cb79a74](cb79a74)) * check each type independently ([#2290](#2290)) ([d9de0af](d9de0af)) * fix the wrong error return value ([#1950](#1950)) ([e2dfb5d](e2dfb5d)) * **indexworker:** remove pg_trgm extension ([#2301](#2301)) ([c553b10](c553b10)) * **oauth-server:** allow custom URI schemes in client redirect URIs ([#2298](#2298)) ([ea72f57](ea72f57)) * tighten email validation rules ([#2304](#2304)) ([33bb372](33bb372)) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please). Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The goal here is to limit the conditions which resolver implementations can affect the determinism of our DNS checks, without allowing transient DNS failures to block signups:
a@a,a@gmail)