Validate email before creating identity during join code redemption

Avoid Sentry exceptions when attackers try to stuff invalid emails. The
browser performs form field validation that should normally prevent this
from occurring, so we just return 422 without validation error messages.

See similar change in #1996 for sign-in and sign-up
This commit is contained in:
Mike Dalessio
2025-12-07 13:26:31 -05:00
parent 12eceb97eb
commit 661a7e5e2d
2 changed files with 30 additions and 7 deletions
@@ -82,4 +82,16 @@ class JoinCodesControllerTest < ActionDispatch::IntegrationTest
assert_redirected_to session_magic_link_url(script_name: nil)
assert_not_predicate cookies[:session_token], :present?
end
test "create with invalid email address" do
# Avoid Sentry exceptions when attackers try to stuff invalid emails into the system
without_action_dispatch_exception_handling do
assert_no_difference -> { Identity.count } do
assert_no_difference -> { User.count } do
post join_path(code: @join_code.code, script_name: @account.slug), params: { email_address: "not-a-valid-email" }
end
end
assert_response :unprocessable_entity
end
end
end