• emailval.js accepts incomplete email addresses

    From Codefenix@VERT/CONCHAOS to All on Thursday, August 29, 2024 08:30:00
    A new user stopped by early this morning. When validating the email address, they entered an incomplete one (e.g.: user-name@gmail).

    The emailval.js script accepted this and logged the error:

    8/29 03:27:06a Node 1 <user> !JavaScript C:\sbbs\mods\emailval.js line 130: Error: Unroutable QWKnet "to_net_addr" (gmail) in recipient object

    This allowed the user to bypass the email validation process and proceed to the main menu. Granted, they didn't have their default access level adjusted either.

    I assume the system must be treating user.netmail values without a "." to the right of the "@" symbol as QWKnet addresses?

    In any case, I copied emailval.js script to /sbbs/mods, and added a check to the SendValidationEmail function to ensure that user.netmail values contain both a "@" and a ".":

    if (user.netmail.indexOf(".") < 0 && user.netmail.indexOf("@") < 0) {
    console.print("\r\n'" + user.netmail + "' is not a valid email address!");
    console.pause();
    return;
    }

    This should screen out incomplete values, and prevent unwanted validation bypass attempts.

    |01<|09co|03d|11e|15Ÿ|11e|03n|09ix|01>|07


    ...Ignorance is the mother of research.
    ---
    þ Synchronet þ -=[ ConstructiveChaos BBS | conchaos.synchro.net ]=-
  • From Keyop@VERT/MAGNUMUK to Codefenix on Thursday, August 29, 2024 23:01:00
    Re: emailval.js accepts incomplete email addresses
    By: Codefenix to All on Thu Aug 29 2024 08:30:51

    A new user stopped by early this morning. When validating the email address, they entered an incomplete one (e.g.: user-name@gmail).

    The emailval.js script accepted this and logged the error:

    8/29 03:27:06a Node 1 <user> !JavaScript C:\sbbs\mods\emailval.js line 130: Error: Unroutable QWKnet "to_net_addr" (gmail) in recipient object

    This allowed the user to bypass the email validation process and proceed to the main menu. Granted, they didn't have their default access level adjusted either.

    I assume the system must be treating user.netmail values without a "." to the right of the "@" symbol as QWKnet addresses?

    In any case, I copied emailval.js script to /sbbs/mods, and added a check to the SendValidationEmail function to ensure that user.netmail values contain both a "@" and a ".":

    if (user.netmail.indexOf(".") < 0 && user.netmail.indexOf("@") < 0) {
    console.print("\r\n'" + user.netmail + "' is not a valid email address!");
    console.pause();
    return;
    }

    This should screen out incomplete values, and prevent unwanted validation bypass attempts.

    I've had a similar problem with someone using @domain

    I will look to use your code, but I think it would be great if DigitalMan could add a fix to master.

    ---
    þ Synchronet þ >>> Magnum BBS <<< - bbs.magnum.uk.net
  • From MRO@VERT/BBSESINF to Codefenix on Thursday, August 29, 2024 17:19:00
    Re: emailval.js accepts incomplete email addresses
    By: Codefenix to All on Thu Aug 29 2024 08:30 am

    In any case, I copied emailval.js script to /sbbs/mods, and added a check to the SendValidationEmail function to ensure that user.netmail values contain both a "@" and a ".":

    if (user.netmail.indexOf(".") < 0 && user.netmail.indexOf("@") < 0) {
    console.print("\r\n'" + user.netmail + "' is not a valid email address!");
    console.pause();
    return;
    }

    This should screen out incomplete values, and prevent unwanted validation bypass attempts.


    "user@null."

    set it up to send the user the login password and disconnect them.
    ---
    þ Synchronet þ ::: BBSES.info - free BBS services :::
  • From MRO@VERT/BBSESINF to Keyop on Friday, August 30, 2024 07:13:00
    Re: emailval.js accepts incomplete email addresses
    By: Keyop to Codefenix on Thu Aug 29 2024 11:01 pm

    I've had a similar problem with someone using @domain

    put that in your .can
    ---
    þ Synchronet þ ::: BBSES.info - free BBS services :::
  • From Codefenix@VERT/CONCHAOS to MRO on Friday, August 30, 2024 15:53:00
    Re: emailval.js accepts incomplete email addresses
    By: MRO to Keyop on Fri Aug 30 2024 07:13 am

    put that in your .can

    Vulgar as ever, I see.

    |01<|09co|03d|11e|15Ÿ|11e|03n|09ix|01>|07


    ...Ignorance is the mother of research.
    ---
    þ Synchronet þ -=[ ConstructiveChaos BBS | conchaos.synchro.net ]=-
  • From MRO@VERT/BBSESINF to Codefenix on Friday, August 30, 2024 20:24:00
    Re: emailval.js accepts incomplete email addresses
    By: Codefenix to MRO on Fri Aug 30 2024 03:53 pm

    Re: emailval.js accepts incomplete email addresses
    By: MRO to Keyop on Fri Aug 30 2024 07:13 am

    put that in your .can

    Vulgar as ever, I see.

    it's my opinion that not enough people are putting things in their .can
    you can do a lot of tricks.
    ---
    þ Synchronet þ ::: BBSES.info - free BBS services :::
  • From nelgin@VERT/EOTLBBS to Codefenix on Saturday, August 31, 2024 00:45:00
    Re: emailval.js accepts incomplete email addresses
    By: Codefenix to All on Thu Aug 29 2024 08:30:51

    if (user.netmail.indexOf(".") < 0 && user.netmail.indexOf("@") < 0) {
    console.print("\r\n'" + user.netmail + "' is not a valid email address!");
    console.pause();
    return;
    }

    Why not put this into a gitlab issue so Digital Man can review or add it, or maybe you could do a pull request?

    Even better, it might be nice to have a method for sbbs to check if an email is valid, since this could be used in other places.

    maybe valid_netmail(address) checks for user@ whatever valid formats valid_email(address) - check for user@domain.tld
    valid_local(address) - checks user number, alias, handle and full name

    ---
    þ Synchronet þ End Of The Line BBS - endofthelinebbs.com
  • From MRO@VERT/BBSESINF to nelgin on Saturday, August 31, 2024 10:48:00
    Re: emailval.js accepts incomplete email addresses
    By: nelgin to Codefenix on Sat Aug 31 2024 12:45 am


    Why not put this into a gitlab issue so Digital Man can review or add it, or maybe you could do a pull request?

    Even better, it might be nice to have a method for sbbs to check if an email is valid, since this could be used in other places.

    maybe valid_netmail(address) checks for user@ whatever valid formats valid_email(address) - check for user@domain.tld
    valid_local(address) - checks user number, alias, handle and full name


    it's easily defeatable. no need to add it.
    let the sysops do their jobs. they can script something up or use a .can file like i suggested.
    ---
    þ Synchronet þ ::: BBSES.info - free BBS services :::
  • From Keyop@VERT/MAGNUMUK to nelgin on Saturday, August 31, 2024 23:19:00
    Re: emailval.js accepts incomplete email addresses
    By: nelgin to Codefenix on Sat Aug 31 2024 00:45:11

    Why not put this into a gitlab issue so Digital Man can review or add it, or maybe you could do a pull request?

    Even better, it might be nice to have a method for sbbs to check if an email is valid, since this could be used in other places.

    maybe valid_netmail(address) checks for user@ whatever valid formats valid_email(address) - check for user@domain.tld
    valid_local(address) - checks user number, alias, handle and full name

    Could also include an SMTP VRFY check too :)

    ---
    þ Synchronet þ >>> Magnum BBS <<< - bbs.magnum.uk.net
  • From echicken@VERT/ECBBS to Codefenix on Saturday, August 31, 2024 21:05:00
    Re: emailval.js accepts incomplete email addresses
    By: Codefenix to All on Thu Aug 29 2024 08:30:51

    if (user.netmail.indexOf(".") < 0 && user.netmail.indexOf("@") < 0) {

    If you *really* want to check if an email address is valid, then there's a whole rabbit hole of standards and regex fun you can go down.

    I have to wonder why/if this is even necessary in the context of email validation. If the email address is fucked, then the user will not get validated. If they want to gain access, they'll need to supply a working address. Sort of a self-solving problem right?

    echicken
    electronic chicken bbs - bbs.electronicchicken.com
    ---
    þ Synchronet þ electronic chicken bbs - bbs.electronicchicken.com
  • From Digital Man@VERT to nelgin on Saturday, August 31, 2024 18:36:00
    Re: emailval.js accepts incomplete email addresses
    By: nelgin to Codefenix on Sat Aug 31 2024 12:45 am

    Even better, it might be nice to have a method for sbbs to check if an email is valid, since this could be used in other places.

    maybe valid_netmail(address) checks for user@ whatever valid formats valid_email(address) - check for user@domain.tld

    See netaddr_type() at https://synchro.net/docs/jsobjs.html

    valid_local(address) - checks user number, alias, handle and full name

    system.matchuser() should work for that.
    --
    digital man (rob)

    Sling Blade quote #7:
    Karl: I don't reckon the Good Lord would send anybody like you to Hades.
    Norco, CA WX: 82.2øF, 55.0% humidity, 9 mph W wind, 0.00 inches rain/24hrs
    ---
    þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net
  • From Digital Man@VERT to echicken on Saturday, August 31, 2024 18:39:00
    Re: emailval.js accepts incomplete email addresses
    By: echicken to Codefenix on Sat Aug 31 2024 09:05 pm

    Re: emailval.js accepts incomplete email addresses
    By: Codefenix to All on Thu Aug 29 2024 08:30:51

    if (user.netmail.indexOf(".") < 0 && user.netmail.indexOf("@") < 0) {

    If you *really* want to check if an email address is valid, then there's a whole rabbit hole of standards and regex fun you can go down.

    I have to wonder why/if this is even necessary in the context of email validation. If the email address is fucked, then the user will not get validated. If they want to gain access, they'll need to supply a working address. Sort of a self-solving problem right?

    I think it'd be more user-friendly if the script only supports Internet mail (which in this case, I think it's expected) and it rejected (with a friendly message) any invalid Internet mail addresses, just in case the user wasn't intentionally trying to fool the script, but rather just typoed or assumed a FidoNet or QWKnet address could be used (maybe they can?). I don't know, I didn't actually write the script in question.
    --
    digital man (rob)

    Breaking Bad quote #48:
    I am not in danger, Skyler. I am the danger. - Walter White
    Norco, CA WX: 82.2øF, 55.0% humidity, 9 mph W wind, 0.00 inches rain/24hrs
    ---
    þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net
  • From Nightfox@VERT/DIGDIST to echicken on Saturday, August 31, 2024 19:26:00
    Re: emailval.js accepts incomplete email addresses
    By: echicken to Codefenix on Sat Aug 31 2024 09:05 pm

    if (user.netmail.indexOf(".") < 0 && user.netmail.indexOf("@") < 0) {

    If you *really* want to check if an email address is valid, then there's a whole rabbit hole of standards and regex fun you can go down.

    I have to wonder why/if this is even necessary in the context of email validation. If the email address is fucked, then the user will not get validated. If they want to gain access, they'll need to supply a working address. Sort of a self-solving problem right?

    I imagine it could probably tell the user the email address they entered is invalid and give the user another chance to re-enter their email address.

    Nightfox

    ---
    þ Synchronet þ Digital Distortion: digitaldistortionbbs.com
  • From MRO@VERT/BBSESINF to echicken on Saturday, August 31, 2024 23:19:00
    Re: emailval.js accepts incomplete email addresses
    By: echicken to Codefenix on Sat Aug 31 2024 09:05 pm

    If you *really* want to check if an email address is valid, then there's a whole rabbit hole of standards and regex fun you can go down.

    I have to wonder why/if this is even necessary in the context of email validation. If the email address is fucked, then the user will not get validated. If they want to gain access, they'll need to supply a working address. Sort of a self-solving problem right?


    exactly. it's better for the user to sign up, give an email address and have the password sent to them, then disconnect the user.

    It's worked for me for decades with multiple bbses.
    ---
    þ Synchronet þ ::: BBSES.info - free BBS services :::
  • From MRO@VERT/BBSESINF to Digital Man on Saturday, August 31, 2024 23:20:00
    Re: emailval.js accepts incomplete email addresses
    By: Digital Man to echicken on Sat Aug 31 2024 06:39 pm

    I think it'd be more user-friendly if the script only supports Internet mail (which in this case, I think it's expected) and it rejected (with a friendly message) any invalid Internet mail addresses, just in case the user wasn't intentionally trying to fool the script, but rather just typoed or assumed a FidoNet or QWKnet address could be used (maybe they can?). I don't know, I didn't actually write the script in question.

    and if it rejects them, they just find a way around it. by using something like mailinator or another bbses email address.

    it's just not worth focusing on.
    ---
    þ Synchronet þ ::: BBSES.info - free BBS services :::
  • From echicken@VERT/ECBBS to Digital Man on Sunday, September 01, 2024 02:49:00
    Re: emailval.js accepts incomplete email addresses
    By: Digital Man to echicken on Sat Aug 31 2024 18:39:21

    I think it'd be more user-friendly if the script only supports Internet mail (which in this case, I think it's expected) and it rejected (with a friendly message) any invalid Internet mail addresses, just in case the

    Or it can just say:

    "Sending validation email to the@address.you.typed.in"

    and offer the user a way to correct the address if they see that it's wrong.
    I only say this because properly validating an email address often goes awry and either bad addresses are accepted or legit ones are rejected.

    typoed or assumed a FidoNet or QWKnet address could be used (maybe they can?). I don't know, I didn't actually write the script in question.

    It might as well allow for validation over Fido/QWK, and that'd be another two formats to check for (or not).

    It's easy enough to get a throwaway internet email address (eg. by signing up on another Synchronet board) so demanding this net type isn't really the gatekeeping measure it seems. This is why I ask for a scan of government-issued photo ID, and a picture of the user holding said ID up next to their face, and have them fax in a signed contract before I allow them to use my B.B.S.

    echicken
    electronic chicken bbs - bbs.electronicchicken.com
    ---
    þ Synchronet þ electronic chicken bbs - bbs.electronicchicken.com
  • From echicken@VERT/ECBBS to Nightfox on Sunday, September 01, 2024 03:02:00
    Re: emailval.js accepts incomplete email addresses
    By: Nightfox to echicken on Sat Aug 31 2024 19:26:51

    I imagine it could probably tell the user the email address they entered is invalid and give the user another chance to re-enter their email address.

    It probably could, and it'll probably work for most email addresses so if we're not going for perfection that's fine.

    I mean I'm not using this script so what do I care. I'm just typing and avoiding going to bed at this point.

    echicken
    electronic chicken bbs - bbs.electronicchicken.com
    ---
    þ Synchronet þ electronic chicken bbs - bbs.electronicchicken.com
  • From kk4qbn@VERT/KK4QBN to echicken on Sunday, September 01, 2024 04:20:00
    Re: emailval.js accepts incomplete email addresses
    By: echicken to Digital Man on Sun Sep 01 2024 02:49:42

    It's easy enough to get a throwaway internet email address (eg. by signing up on another Synchronet > board) so demanding this net type isn't really the gatekeeping measure it seems. This is why I ask > a scan of government-issued photo ID, and a picture of the user holding said ID up next to their fa > and have them fax in a signed contract before I allow them to use my B.B.S.

    You should make them do the full 3d scan of their face starting from the side profile all the way
    around past the front, I've been doing it this way since 99 and it keeps all them mal-conformers away.
    ---
    Tim (kk4qbn)
    +o kk4qbn.synchro.net
    þ Synchronet þ KK4QBN BBS - kk4qbn.synchro.net - Chatsworth, GA USA
  • From Codefenix@VERT/CONCHAOS to echicken on Sunday, September 01, 2024 09:51:00
    Re: emailval.js accepts incomplete email addresses
    By: echicken to Codefenix on Sat Aug 31 2024 09:05 pm

    If you *really* want to check if an email address is valid, then there's a whole rabbit hole of standards and regex fun you can go down.
    I have to wonder why/if this is even necessary in the context of email validation. If the email address is fucked, then the user will not get validated. If they want to gain access, they'll need to supply a working address. Sort of a self-solving problem right?

    No, not quite. I must not have made it very clear in my initial post. The reason why I would want to "pre-validate" an email address is because someone entered an incomplete one on my system (user@gmail), and it broke the script because the script (incorrectly) treated the entry as though it were a QWKmail address. This let the user skip validation and proceed to main, when it should have screened them out instead.

    |01<|09co|03d|11e|15Ÿ|11e|03n|09ix|01>|07


    ...If you can't see the bright side, polish the dull side.
    ---
    þ Synchronet þ -=[ ConstructiveChaos BBS | conchaos.synchro.net ]=-
  • From echicken@VERT/ECBBS to Codefenix on Sunday, September 01, 2024 23:55:00
    Re: emailval.js accepts incomplete email addresses
    By: Codefenix to echicken on Sun Sep 01 2024 09:51:25

    someone entered an incomplete one on my system (user@gmail), and it broke the script because the script (incorrectly) treated the entry as though it were a QWKmail address. This let the user skip validation and proceed to main, when it should have screened them out instead.

    It sounds like this script is not doing what I assume an email validation module would do: execute on logon, nag the user to enter a code, tell them where it sent the code, and let them request a re-send (optionally to a new address) - or exit quietly if validation is complete. Maybe on first run it lets them enter a target email address which may be different from what they supplied on the newuser form.

    Beyond that it shouldn't matter if the user can get to the main menu, because their unvalidated account wouldn't have permission to do much.

    echicken
    electronic chicken bbs - bbs.electronicchicken.com
    ---
    þ Synchronet þ electronic chicken bbs - bbs.electronicchicken.com
  • From Digital Man@VERT to Codefenix on Wednesday, September 04, 2024 22:05:00
    Re: emailval.js accepts incomplete email addresses
    By: Codefenix to echicken on Sun Sep 01 2024 09:51 am

    Re: emailval.js accepts incomplete email addresses
    By: echicken to Codefenix on Sat Aug 31 2024 09:05 pm

    If you *really* want to check if an email address is valid, then there's a whole rabbit hole of standards and regex fun you can go down. I have to wonder why/if this is even necessary in the context of email validation. If the email address is fucked, then the user will not get validated. If they want to gain access, they'll need to supply a working address. Sort of a self-solving problem right?

    No, not quite. I must not have made it very clear in my initial post. The reason why I would want to "pre-validate" an email address is because someone entered an incomplete one on my system (user@gmail), and it broke the script because the script (incorrectly) treated the entry as though it were a QWKmail address. This let the user skip validation and proceed to main, when it should have screened them out instead.

    I don't think that's how that script works though. It doesn't "screen people out" (that provide an invalid email address).
    --
    digital man (rob)

    Sling Blade quote #6:
    Karl: he should've had a chance to grow up. He would had fun some time.
    Norco, CA WX: 88.4øF, 30.0% humidity, 1 mph NE wind, 0.00 inches rain/24hrs
    ---
    þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net
  • From Codefenix@VERT/CONCHAOS to Digital Man on Thursday, September 05, 2024 08:34:00
    Re: emailval.js accepts incomplete email addresses
    By: Digital Man to Codefenix on Wed Sep 04 2024 10:05 pm

    I don't think that's how that script works though. It doesn't "screen people out" (that provide an invalid email address).

    The list of available options in the script's menu imply exactly that.

    [S] Send validation code to <email address>
    [V] Validate your account
    [E] Edit/Update email address
    [H] Hangup

    If the sysop has the emailval module enabled, it gets called during logon. The user is meant to validate or hit the bricks.

    There is no 5th option to proceed unvaliated, otherwise I could agree with you about the script's intent.

    |01<|09co|03d|11e|15Ÿ|11e|03n|09ix|01>|07


    ...God made everything out of nothing. But the nothingness shows through.
    ---
    þ Synchronet þ -=[ ConstructiveChaos BBS | conchaos.synchro.net ]=-
  • From echicken@VERT/ECBBS to Codefenix on Thursday, September 05, 2024 09:47:00
    Re: emailval.js accepts incomplete email addresses
    By: Codefenix to Digital Man on Thu Sep 05 2024 08:34:45

    The user is meant to validate or hit the bricks.

    There is no 5th option to proceed unvaliated, otherwise I could agree with you about the script's intent.

    Thanks for explaining - I've been too lazy to actually look at the script so this clarifies things a bit.

    I think this script probably needs a rewrite or significant revision.

    - Permitted netmail types should be configurable and strings validated
    - Block logon for unvalidated users should be optional
    - On fatal error, should hang up or just exit depending on above setting

    Seems like at the moment it has a poor failure mode and was written with a perplexing misunderstanding of newuser restrictions.

    echicken
    electronic chicken bbs - bbs.electronicchicken.com
    ---
    þ Synchronet þ electronic chicken bbs - bbs.electronicchicken.com
  • From Digital Man@VERT to Codefenix on Thursday, September 05, 2024 12:38:00
    Re: emailval.js accepts incomplete email addresses
    By: Codefenix to Digital Man on Thu Sep 05 2024 08:34 am

    Re: emailval.js accepts incomplete email addresses
    By: Digital Man to Codefenix on Wed Sep 04 2024 10:05 pm

    I don't think that's how that script works though. It doesn't "screen people out" (that provide an invalid email address).

    The list of available options in the script's menu imply exactly that.

    [S] Send validation code to <email address>
    [V] Validate your account
    [E] Edit/Update email address
    [H] Hangup

    If the sysop has the emailval module enabled, it gets called during logon. The user is meant to validate or hit the bricks.

    There is no 5th option to proceed unvaliated, otherwise I could agree with you about the script's intent.

    Yeah, I'm not familiar with (don't run) that script. I'll take a closer look at it.
    --
    digital man (rob)

    Rush quote #49:
    Some will sell their dreams for small desires or lose the race to rats
    Norco, CA WX: 104.6øF, 19.0% humidity, 3 mph WNW wind, 0.00 inches rain/24hrs ---
    þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net
  • From MRO@VERT/BBSESINF to Digital Man on Thursday, September 05, 2024 21:19:00
    Re: emailval.js accepts incomplete email addresses
    By: Digital Man to Codefenix on Thu Sep 05 2024 12:38 pm

    with you about the script's intent.

    Yeah, I'm not familiar with (don't run) that script. I'll take a closer look at it.

    i think tracker1 wrote it years ago.

    it probably would be better to send a user a generated password and disconnect them.
    ---
    þ Synchronet þ ::: BBSES.info - free BBS services :::
  • From Codefenix@VERT/CONCHAOS to MRO on Friday, September 06, 2024 11:02:00
    Re: emailval.js accepts incomplete email addresses
    By: MRO to Digital Man on Thu Sep 05 2024 09:19 pm

    it probably would be better to send a user a generated password and disconnect them.

    I mean, that's effectively the same thing as what the emailval module currently is doing now, except your approach forces the user to drop and re-connect. emailval keeps the the user on, which I think is preferable.

    |01<|09co|03d|11e|15Ÿ|11e|03n|09ix|01>|07


    ...Fear is no great respecter of reason.
    ---
    þ Synchronet þ -=[ ConstructiveChaos BBS | conchaos.synchro.net ]=-
  • From MRO@VERT/BBSESINF to Codefenix on Sunday, September 08, 2024 06:39:00
    Re: emailval.js accepts incomplete email addresses
    By: Codefenix to MRO on Fri Sep 06 2024 11:02 am

    Re: emailval.js accepts incomplete email addresses
    By: MRO to Digital Man on Thu Sep 05 2024 09:19 pm

    it probably would be better to send a user a generated password and disconnect them.

    I mean, that's effectively the same thing as what the emailval module currently is doing now, except your approach forces the user to drop and re-connect. emailval keeps the the user on, which I think is preferable.


    depending on where the email comes from, the user could be sitting there for a while if it's being put on hold by the reciever's email provider.
    ---
    þ Synchronet þ ::: BBSES.info - free BBS services :::