Restrict the length of emails as per RFC (calcom#24269)

hariombalhara · web-flow · commit bbe46eaa7dbd · 2025-10-06T10:22:58.000Z
diff --git a/packages/lib/emailSchema.ts b/packages/lib/emailSchema.ts
@@ -4,4 +4,15 @@ import { z } from "zod";
 export const emailRegex =
   /^(?!\.)(?!.*\.\.)([A-Z0-9_+-\.']*)[A-Z0-9_+'-]@([A-Z0-9][A-Z0-9\-]*\.)+[A-Z]{2,}$/i;
 
-export const emailSchema = z.string().regex(emailRegex);
+/**
+ * RFC 5321 Section 4.5.3.1.3 specifies:
+ * - Maximum email address length: 254 characters
+ * - Local part (before @): max 64 characters
+ * - Domain part (after @): max 253 characters
+ */
+const MAX_EMAIL_LENGTH = 254;
+
+export const emailSchema = z
+  .string()
+  .max(MAX_EMAIL_LENGTH, { message: "Email address is too long" })
+  .regex(emailRegex);
diff --git a/packages/prisma/zod-utils.ts b/packages/prisma/zod-utils.ts
@@ -709,7 +709,7 @@ export const emailSchema = emailRegexSchema;
 // I introduced this refinement(to be used with z.email()) as a short term solution until we upgrade to a zod
 // version that will include updates in the above PR.
 export const emailSchemaRefinement = (value: string) => {
-  return emailRegex.test(value);
+  return emailSchema.safeParse(value).success;
 };
 
 export const signupSchema = z.object({
