Facebook sign up form doesn't validate email address


(probus) #1

The sign up form (below) doesn’t validate the email address field when signing up with facebook.

Continuing the discussion from Why showing blank email box during Facebook sign up?:


(Jeff Atwood) #2

Sorry, what is the issue? If the email is returned by Facebook it is by definition valid.


(probus) #3

From the linked topic:

If they choose not to share, they can then type in whatever.

We just had a user try to sign up who I’m pretty sure typed there their preferred username and probably never even looked at the labels.


(Matt Palmer) #4

Aaaaah, this is how you ended up with a user with “tennistähti” as their e-mail address!

Nice detective work tracking that down.


(Kane York) #6

We should re-review how the Facebook oauth handler works.


(Jeff Atwood) #9

We can’t repro a scenario where a user signs up via Facebook and gets an invalid email address.

It is definitely possible that email address is explicitly refused in their Facebook options, but then we validate it by sending them an email to that address with a magic GUID to click or tap.

Can you give us explicit repro steps here? Because we can’t repro this.


(probus) #10

Yes, but it is not validated in the form. You can type in anything and get through. You can’t in the regular sign up form:


(Jeff Atwood) #11

We can’t reproduce this – the email will be validated, e.g. an email with a GUID they have to click is sent. This is true of any provider who does not validate (or send) emails, e.g. Twitter.

It will also be true of a Facebook user who has set their email prefs to “never share my email on oAuth 2 login”, or whatever the relevant user pref is there. I think it is also possible to have a Facebook account with no email associated in the Facebook user database in some rare circumstances.


(probus) #12

Actually, doesn’t seem to validate the username either. Notice the different shade of blue in the “create a new account” buttons in the screenshots. These are from meta a minute ago:

facebook

username/password


(Jeff Atwood) #13

Sorry, what point are you making here? I am not following you. Were you able to create an account here or on try.discourse.org with an invalid email?


(probus) #14

Sorry. If you can’t see the difference, I can’t make it any more clear.


(Jeff Atwood) #15

I ask again. Were you able to create an account here or on try.discourse.org with an invalid email?

Yes or no answer please. Were you? Do you have a repro?


(Mittineague) #16

To me the red X message is indicating the input field is not valid.

Are you saying invalid input values don’t stop submission? i.e. creates an account that will be soon pruned.


(Jeff Atwood) #17

Unknown, he is not telling us whether he has a repro, or what the repro steps even are. Can you demonstrate the problem @probus? What are the repro steps? Can you point us to an account here or on meta with the problem?

We do know for sure some Facebook accounts have either blocked email sharing via oAuth 2, or do not have emails. We have known this for years now. We already handle this by sending an email validation in the Facebook provider in those cases…


(probus) #18

Yes. I just created an account ‘probus1’ here with ‘anything’ as email address. Feel free to remove it.


(Jeff Atwood) #19

No you did not – it is an unvalidated, incomplete, unusable account, which means you did not validate the email associated with it:

Hence the grey background, and it will get culled in 7 days like any other unvalidated account.

I can agree with you that we should not allow crazy clearly invalid email addresses to be entered in this case – that is a bug – but it is not a valid, real user account until the GUID in that validation email is clicked or tapped.

So the impact is pretty low, these accounts would only exist for 7 days and not in a usable state. If you try to log in as that user you will get the standard “can’t log in until validation email is clicked, send again?” response…

Anyway @neil you should have a look at this code path, so we don’t have 7 days of completely bogus Facebook account emails hanging around waiting for a validation that can never arrive since they entered the email address “badonkadonk” etc.


(Mittineague) #20

How anyone can miss seeing the red X message is beyond me, but then I suppose I know because I know.

Maybe if it were possible to have a (rate limited) invalid submit reload the modal they’d eventually read it?


(Neil Lalonde) #21

A post was merged into an existing topic: Configuring Facebook login for Discourse


(Neil Lalonde) #22

I committed a change today so email is validated in the form for 3rd party auth too. We had decided not to do this at some point, but it should be safe to at least validate that the email field makes sense.