Skip to content

fix(auth): validate email format early in register, login & update-user endpoints #160

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 4 commits into
base: master
Choose a base branch
from
Open

fix(auth): validate email format early in register, login & update-user endpoints #160

wants to merge 4 commits into from

Conversation

@anshifmonz
Copy link

@anshifmonz anshifmonz commented May 20, 2025

Description

Currently, all three authentication-related endpoints (/api/users, /api/users/login, and /api/user) accept any string for the email field and only check existence against the database. This fix adds early-format email validation to all three endpoints.

Since we already enforce a correct email format at registration, it’s redundant (and wasteful) to hit the database every time with an obviously malformed value. This change:

  • Adds early-format validation to the three endpoints
  • Short-circuits invalid requests with a 422 response before any DB lookup
  • Improves performance by avoiding unnecessary database calls
  • Standardizes error messaging for all auth routes

What’s Changed

  1. /api/users (register) endpoint

    • Added email format check using email-validator
    • Returns 422 Unprocessable Entity + 
      {
  "errors": {
    "email": ["is invalid"]
  }
}
      if validation fails

  2. /api/users/login (login) endpoint

    • Moved DB lookup logic after the new format validation
    • Early exit with 422 Unprocessable Entity + same errors payload if email is malformed

  3. /api/user (update user) endpoint

    • Added format check for any incoming email in the update payload
    • Early exit with 422 Unprocessable Entity + same errors payload if malformed

  4. Dependency updates

    • Installed email-validator via npm install email-validator
    • Updated package.json & package-lock.json

How to Test

  • Register

    curl -X POST http://localhost:3000/api/users \
  -H "Content-Type: application/json" \
  -d '{"user": {"email": "bad-email", "username": "user", "password": "passwd"}}'
# 422, {"errors":{"email":["is invalid"]}}

  • LogIn

    curl -X POST http://localhost:3000/api/users/login \
  -H "Content-Type: application/json" \
  -d '{"user": {"email": "bad-email", "password": "passwd"}}'
# 422, {"errors":{"email":["is invalid"]}}

  • Update User

    curl -X PUT http://localhost:3000/api/user \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer <YOUR_JWT_TOKEN>" \
  -d '{"user": {"email": "bad-email"}}'
# 422, {"errors":{"email":["is invalid"]}}

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@anshifmonz