Merge pull request #212 from supertokens/fix/emailpassword-handle-invalid-req

fix(emailpassword): Send 400 on passing non-string email in request body

Author: rishabhpoddar

CHANGELOG.md

@@ -6,6 +6,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [unreleased]
 
+### Bug fix
+- Send 400 instead of 500 on invalid request body or when user passes non-string values as email ID for `/auth/signin`
+
+### Changes
 - Add to test to ensure that overrides are applying correctly in methods called on SessionContainer instances
 
 ## [0.10.2] - 2022-07-14

supertokens_python/recipe/emailpassword/api/utils.py

@@ -73,7 +73,7 @@ async def validate_form_fields_or_throw_error(
                 "All elements of formFields must contain an 'id' and 'value' field"
             )
         value = current_form_field["value"]
-        if current_form_field["id"] == FORM_FIELD_EMAIL_ID:
+        if current_form_field["id"] == FORM_FIELD_EMAIL_ID and isinstance(value, str):
             value = value.strip()
         form_fields.append(FormField(current_form_field["id"], value))
 

supertokens_python/recipe/emailpassword/utils.py

@@ -70,11 +70,11 @@ async def default_password_validator(value: str) -> Union[str, None]:
     return None
 
 
-async def default_email_validator(value: str) -> Union[str, None]:
+async def default_email_validator(value: Any) -> Union[str, None]:
     # We check if the email syntax is correct
     # As per https://github.com/supertokens/supertokens-auth-react/issues/5#issuecomment-709512438
     # Regex from https://stackoverflow.com/a/46181/3867175
-    if (
+    if (not isinstance(value, str)) or (
         fullmatch(
             r'^(([^<>()\[\]\\.,;:\s@"]+(\.[^<>()\[\]\\.,;:\s@"]+)*)|(".+"))@((\[[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,'
             r"3}\.[0-9]{1,3}\])|(([a-zA-Z\-0-9]+\.)+[a-zA-Z]{2,}))$",

tests/emailpassword/test_passwordreset.py

@@ -107,14 +107,15 @@ async def test_email_validation_checks_in_generate_token_API(
     )
     start_st()
 
-    response_1 = driver_config_client.post(
-        url="/auth/user/password/reset/token",
-        json={"formFields": [{"id": "email", "value": "random"}]},
-    )
+    for invalid_email in ["random", 5]:
+        res = driver_config_client.post(
+            url="/auth/user/password/reset/token",
+            json={"formFields": [{"id": "email", "value": invalid_email}]},
+        )
 
-    assert response_1.status_code == 200
-    dict_response = json.loads(response_1.text)
-    assert dict_response["status"] == "FIELD_ERROR"
+        assert res.status_code == 200
+        dict_res = json.loads(res.text)
+        assert dict_res["status"] == "FIELD_ERROR"
 
 
 @mark.asyncio