Skip to content

fix: fail email sending if email address is empty #2127

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 3 commits into
base: master
Choose a base branch
from
Open

fix: fail email sending if email address is empty #2127

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
65b874b
fix: fail email sending if email address is empty
hf Aug 22, 2025
865b5bb
add proper message for missing email address
hf Aug 22, 2025
e1e4ca5
one more codepath
hf Aug 22, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions internal/api/external.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -416,6 +416,9 @@ func (a *API) createAccountFromExternalIdentity(tx *storage.Connection, r *http.
return nil, terr
}
emailConfirmationSent = true
} else {
// empty email address is regarded as not verified
return nil, apierrors.NewUnprocessableEntityError(apierrors.ErrorCodeEmailNotConfirmed, "No email address provided by %v. Please add a verified email address to your account at %v and try again.", providerType, providerType)
}

if !config.Mailer.AllowUnverifiedEmailSignIns {
Expand Down
5 changes: 5 additions & 0 deletions internal/api/identity.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -133,6 +133,11 @@ func (a *API) linkIdentityToUser(r *http.Request, ctx context.Context, tx *stora
return nil, terr
}
if !userData.Metadata.EmailVerified {
if targetUser.GetEmail() == "" {
// empty email address is regarded as not verified
return nil, apierrors.NewUnprocessableEntityError(apierrors.ErrorCodeEmailNotConfirmed, "No email address provided by %v. Please add a verified email address to your account at %v and try again.", providerType, providerType)
}

if terr := a.sendConfirmation(r, tx, targetUser, models.ImplicitFlow); terr != nil {
return nil, terr
}
Expand Down
10 changes: 9 additions & 1 deletion internal/api/mail.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -594,10 +594,18 @@ func (a *API) sendEmail(r *http.Request, tx *storage.Connection, u *models.User,
externalURL := getExternalHost(ctx)

if emailActionType != mail.EmailChangeVerification {
if u.GetEmail() != "" && !a.checkEmailAddressAuthorization(u.GetEmail()) {
if u.GetEmail() == "" {
return apierrors.NewInternalServerError("Unable to send email to a user with an empty email address")
}

if !a.checkEmailAddressAuthorization(u.GetEmail()) {
return apierrors.NewBadRequestError(apierrors.ErrorCodeEmailAddressNotAuthorized, "Email address %q cannot be used as it is not authorized", u.GetEmail())
}
} else {
if u.EmailChange == "" {
return apierrors.NewInternalServerError("Unable to change email address of user to an empty value")
}

// first check that the user can update their address to the
// new one in u.EmailChange
if u.EmailChange != "" && !a.checkEmailAddressAuthorization(u.EmailChange) {
Expand Down