fix(email): restrict email change. Fixes MA-173 (#227)

* fix(email): restrict email change. Fixes MA-173 * chore(email): add tests and change regex * chore(email): move validation to model
AEGEE · Feb 10, 2021 · 85d7dd1 · 85d7dd1
1 parent 9bafba1
commit 85d7dd1
Show file tree

Hide file tree

Showing 4 changed files with 35 additions and 7 deletions.
diff --git a/lib/constants.js b/lib/constants.js
@@ -79,5 +79,6 @@ module.exports = {
         MAIL_CHANGE: 'MyAEGEE: Email change',
         PASSWORD_RESET: 'MyAEGEE: password reset request',
         NEW_JOIN_REQUEST: 'MyAEGEE: new join request for your body'
-    }
+    },
+    RESTRICTED_EMAILS: ['aegee.org', 'aegee.eu']
 };
diff --git a/models/MailChange.js b/models/MailChange.js
@@ -25,7 +25,12 @@ const MailChange = sequelize.define('mail_change', {
         validate: {
             notEmpty: { msg: 'New email should be set.' },
             notNull: { msg: 'New email should be set.' },
-            isEmail: { msg: 'New email should be valid.' }
+            isEmail: { msg: 'New email should be valid.' },
+            isValid(value) {
+                if (constants.RESTRICTED_EMAILS.some((email) => value.includes(email))) {
+                    throw new Error('Email can not be in one of the following domains: ' + constants.RESTRICTED_EMAILS.join(', ').trim() + '.');
+                }
+            }
         },
         unique: true
     },

diff --git a/models/User.js b/models/User.js
@@ -1,14 +1,12 @@
 const bcrypt = require('bcrypt');
 const moment = require('moment');
 
+const constants = require('../lib/constants');
 const { Sequelize, sequelize } = require('../lib/sequelize');
 const config = require('../config');
 
-const RESTRICTED_EMAILS = ['aegee.org', 'aegee.eu'];
 const NAME_REGEX = new RegExp('^[\\p{L}. \\-\']*$', 'u');
 const USERNAME_REGEX = new RegExp('^[a-zA-Z0-9._-]*$');
-// eslint-disable-next-line no-useless-escape
-const EMAIL_REGEX = new RegExp('\@(' + RESTRICTED_EMAILS.join('|').trim() + ')');
 
 const User = sequelize.define('user', {
     username: {
@@ -33,8 +31,8 @@ const User = sequelize.define('user', {
             notNull: { msg: 'Email should be set.' },
             isEmail: { msg: 'Email should be valid.' },
             isValid(value) {
-                if (EMAIL_REGEX.test(value)) {
-                    throw new Error('Email can not be in one of the following domains: ' + RESTRICTED_EMAILS.join(', ').trim() + '.');
+                if (constants.RESTRICTED_EMAILS.some((email) => value.includes(email))) {
+                    throw new Error('Email can not be in one of the following domains: ' + constants.RESTRICTED_EMAILS.join(', ').trim() + '.');
                 }
             }
         },

diff --git a/test/unit/mail-changes.test.js b/test/unit/mail-changes.test.js
@@ -52,6 +52,30 @@ describe('Mail changes', () => {
         }
     });
 
+    test('should fail with invalid new_email (aegee.eu)', async () => {
+        try {
+            const user = await generator.createUser();
+            await generator.createMailChange({ new_email: 'test@aegee.eu' }, user);
+            expect(1).toEqual(0);
+        } catch (err) {
+            expect(err).toHaveProperty('errors');
+            expect(err.errors.length).toEqual(1);
+            expect(err.errors[0].path).toEqual('new_email');
+        }
+    });
+
+    test('should fail with invalid new_email (aegee.org)', async () => {
+        try {
+            const user = await generator.createUser();
+            await generator.createMailChange({ new_email: 'test@aegee.org' }, user);
+            expect(1).toEqual(0);
+        } catch (err) {
+            expect(err).toHaveProperty('errors');
+            expect(err.errors.length).toEqual(1);
+            expect(err.errors[0].path).toEqual('new_email');
+        }
+    });
+
     test('should normalize fields', async () => {
         const user = await generator.createUser();
         const permission = await MailChange.create({