From adcc05ea3ad6b48bf7a617d50638ab334a158947 Mon Sep 17 00:00:00 2001
From: "Stephen McQuay (smcquay)" <stephen@mcquay.me>
Date: Fri, 22 Apr 2016 23:50:23 -0700
Subject: [PATCH] validate email on register/forgot

Fixes #21.

Change-Id: I21bfd87d6fd730e8a90ceec77c9b23a90bc397e9
---
 server.go | 19 +++++++++++++++++--
 1 file changed, 17 insertions(+), 2 deletions(-)

diff --git a/server.go b/server.go
index 895149c..ee02133 100644
--- a/server.go
+++ b/server.go
@@ -5,6 +5,7 @@ import (
 	"fmt"
 	"log"
 	"net/http"
+	"net/mail"
 	"strings"
 
 	verrors "mcquay.me/vain/errors"
@@ -125,7 +126,14 @@ func (s *Server) register(w http.ResponseWriter, req *http.Request) {
 		http.Error(w, "must provide one email parameter", http.StatusBadRequest)
 		return
 	}
-	tok, err := s.db.Register(email[0])
+
+	addr := email[0]
+	if _, err := mail.ParseAddress(addr); err != nil {
+		http.Error(w, fmt.Sprintf("invalid email detected: %v", err), http.StatusBadRequest)
+		return
+	}
+
+	tok, err := s.db.Register(addr)
 	if err := verrors.ToHTTP(err); err != nil {
 		http.Error(w, err.Message, err.Code)
 		return
@@ -160,7 +168,14 @@ func (s *Server) forgot(w http.ResponseWriter, req *http.Request) {
 		http.Error(w, "must provide one email parameter", http.StatusBadRequest)
 		return
 	}
-	tok, err := s.db.forgot(email[0])
+
+	addr := email[0]
+	if _, err := mail.ParseAddress(addr); err != nil {
+		http.Error(w, fmt.Sprintf("invalid email detected: %v", err), http.StatusBadRequest)
+		return
+	}
+
+	tok, err := s.db.forgot(addr)
 	if err := verrors.ToHTTP(err); err != nil {
 		http.Error(w, err.Message, err.Code)
 		return