From 65b874b655858ddbb4edc7ea6f44ad6311c65eb7 Mon Sep 17 00:00:00 2001 From: Stojan Dimitrovski Date: Fri, 22 Aug 2025 13:30:21 +0200 Subject: [PATCH 1/3] fix: fail email sending if email address is empty --- internal/api/mail.go | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/internal/api/mail.go b/internal/api/mail.go index 569ecf726..8a99c9bcf 100644 --- a/internal/api/mail.go +++ b/internal/api/mail.go @@ -594,10 +594,18 @@ func (a *API) sendEmail(r *http.Request, tx *storage.Connection, u *models.User, externalURL := getExternalHost(ctx) if emailActionType != mail.EmailChangeVerification { - if u.GetEmail() != "" && !a.checkEmailAddressAuthorization(u.GetEmail()) { + if u.GetEmail() == "" { + return apierrors.NewInternalServerError("Unable to send email to a user with an empty email address") + } + + if !a.checkEmailAddressAuthorization(u.GetEmail()) { return apierrors.NewBadRequestError(apierrors.ErrorCodeEmailAddressNotAuthorized, "Email address %q cannot be used as it is not authorized", u.GetEmail()) } } else { + if u.EmailChange == "" { + return apierrors.NewInternalServerError("Unable to change email address of user to an empty value") + } + // first check that the user can update their address to the // new one in u.EmailChange if u.EmailChange != "" && !a.checkEmailAddressAuthorization(u.EmailChange) { From 865b5bbf2b0c347267158c6a414016a7f71e4485 Mon Sep 17 00:00:00 2001 From: Stojan Dimitrovski Date: Fri, 22 Aug 2025 13:33:01 +0200 Subject: [PATCH 2/3] add proper message for missing email address --- internal/api/identity.go | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/internal/api/identity.go b/internal/api/identity.go index 4c26bccbd..d59a6d28f 100644 --- a/internal/api/identity.go +++ b/internal/api/identity.go @@ -133,6 +133,11 @@ func (a *API) linkIdentityToUser(r *http.Request, ctx context.Context, tx *stora return nil, terr } if !userData.Metadata.EmailVerified { + if targetUser.GetEmail() == "" { + // empty email address is regarded as not verified + return nil, apierrors.NewUnprocessableEntityError(apierrors.ErrorCodeEmailNotConfirmed, "No email address provided by %v. Please add a verified email address to your account at %v and try again.", providerType, providerType) + } + if terr := a.sendConfirmation(r, tx, targetUser, models.ImplicitFlow); terr != nil { return nil, terr } From e1e4ca5461e3426c65c409af4936be131697e240 Mon Sep 17 00:00:00 2001 From: Stojan Dimitrovski Date: Fri, 22 Aug 2025 14:29:09 +0200 Subject: [PATCH 3/3] one more codepath --- internal/api/external.go | 3 +++ 1 file changed, 3 insertions(+) diff --git a/internal/api/external.go b/internal/api/external.go index c2fd8802e..54cda7dea 100644 --- a/internal/api/external.go +++ b/internal/api/external.go @@ -416,6 +416,9 @@ func (a *API) createAccountFromExternalIdentity(tx *storage.Connection, r *http. return nil, terr } emailConfirmationSent = true + } else { + // empty email address is regarded as not verified + return nil, apierrors.NewUnprocessableEntityError(apierrors.ErrorCodeEmailNotConfirmed, "No email address provided by %v. Please add a verified email address to your account at %v and try again.", providerType, providerType) } if !config.Mailer.AllowUnverifiedEmailSignIns {