use re lib to validate emails

harminius · harminius · commit d4ac7ed2ee6b · 2025-11-07T07:33:37.000+01:00
diff --git a/server/mergin/auth/forms.py b/server/mergin/auth/forms.py
@@ -1,6 +1,7 @@
 # Copyright (C) Lutra Consulting Limited
 #
 # SPDX-License-Identifier: AGPL-3.0-only OR LicenseRef-MerginMaps-Commercial
+
 import re
 import safe
 from flask_wtf import FlaskForm
@@ -17,7 +18,6 @@
 
 from .models import MAX_USERNAME_LENGTH, User
 from ..app import UpdateForm, CustomStringField
-from .utils import get_email_domain
 
 
 def username_validation(form, field):
@@ -51,25 +51,20 @@ class ExtendedEmail(Email):
     3, multiple @ symbols,
     4, leading, trailing, or consecutive dots in the local part,
     5, invalid domain part - missing top level domain (user@example), consecutive dots,
-    Custom check for
-    - additional invalid characters disallows |'—
-    - non-ASCII characters in the domain part
-    because they make our email sending service to fail
+    The extended validation checks email addresses using the regex provided by Brevo,
+    so that we stay consistent with their validation rules and avoid API failures.
     """
 
     def __call__(self, form, field):
         super().__call__(form, field)
 
-        if re.search(r"[|'—]", field.data):
-            raise ValidationError(
-                f"Email address '{field.data}' contains an invalid character."
-            )
+        email = field.data.strip()
 
-        domain = get_email_domain(field.data)
-        if not domain.isascii():
-            raise ValidationError(
-                f"Email address '{field.data}' contains non-ASCII characters in the domain part."
-            )
+        pattern = r"^[\x60#&*\/=?^{!}~'+\w-]+(\.[\x60#&*\/=?^{!}~'+\w-]+)*\.?@([_a-zA-Z0-9-]+(\.[_a-zA-Z0-9-]+)*\.)[a-zA-Z0-9-]*[a-zA-Z0-9]{2,}$"
+        email_regexp = re.compile(pattern, re.IGNORECASE)
+
+        if not email_regexp.match(email):
+            raise ValidationError(f"Email address '{email}' is invalid.")
 
 
 class PasswordValidator:
diff --git a/server/mergin/tests/test_auth.py b/server/mergin/tests/test_auth.py
@@ -125,7 +125,11 @@ def test_logout(client):
         400,
     ),  # tests with upper case, but email already exists
     (" mergin@mergin.com  ", "#pwd123", 400),  # invalid password
-    ("verylonglonglonglonglonglonglongemail@example.com", "#pwd1234", 201),
+    (
+        "verylonglonglonglonglonglonglongemail@lutra-consulting.co.uk",
+        "#pwd1234",
+        201,
+    ),  # long local part, second-level domain, dash in domain
     ("us.er@mergin.com", "#pwd1234", 201),  # dot is allowed
     ("us er@mergin.com", "#pwd1234", 400),  # space is disallowed
     ("test@gmaiñ.com", "#pwd1234", 400),  # non-ASCII character in the domain
@@ -946,6 +950,7 @@ def test_server_usage(client):
     (" user", True),  # starting with space (will be stripped)
     ("us.er", True),  # dot in the middle
     (".user", False),  # starting with dot
+    ("us-er", True),  # hyphen
 ]
 
 
