From 2f8b0ad60714abb9c1a777e69a7c967c82acab3a Mon Sep 17 00:00:00 2001 From: 01zulfi <85733202+01zulfi@users.noreply.github.com> Date: Mon, 30 Mar 2026 14:06:11 +0500 Subject: [PATCH] identity: validate disposable email before sending 'email change' mail (#87) --- .../Controllers/AccountController.cs | 23 ++++++++++++++++--- 1 file changed, 20 insertions(+), 3 deletions(-) diff --git a/Streetwriters.Identity/Controllers/AccountController.cs b/Streetwriters.Identity/Controllers/AccountController.cs index 79e5df1..05ab2f1 100644 --- a/Streetwriters.Identity/Controllers/AccountController.cs +++ b/Streetwriters.Identity/Controllers/AccountController.cs @@ -55,14 +55,26 @@ namespace Streetwriters.Identity.Controllers private IPersistedGrantStore PersistedGrantStore { get; set; } private ITokenGenerationService TokenGenerationService { get; set; } private IUserAccountService UserAccountService { get; set; } + private EmailAddressValidator EmailValidator { get; set; } private readonly ILogger logger; - public AccountController(UserManager _userManager, ITemplatedEmailSender _emailSender, - SignInManager _signInManager, RoleManager _roleManager, IPersistedGrantStore store, - ITokenGenerationService tokenGenerationService, IMFAService _mfaService, IUserAccountService userAccountService, ILogger logger) : base(_userManager, _emailSender, _signInManager, _roleManager, _mfaService) + + public AccountController( + UserManager _userManager, + ITemplatedEmailSender _emailSender, + SignInManager _signInManager, + RoleManager _roleManager, + IPersistedGrantStore store, + ITokenGenerationService tokenGenerationService, + IMFAService _mfaService, + IUserAccountService userAccountService, + ILogger logger, + EmailAddressValidator emailValidator + ) : base(_userManager, _emailSender, _signInManager, _roleManager, _mfaService) { PersistedGrantStore = store; TokenGenerationService = tokenGenerationService; UserAccountService = userAccountService; + EmailValidator = emailValidator; this.logger = logger; } @@ -131,6 +143,11 @@ namespace Streetwriters.Identity.Controllers } else { + if (!await EmailValidator.IsEmailAddressValidAsync(newEmail.ToLowerInvariant())) + { + return BadRequest("Invalid email address."); + } + var code = await UserManager.GenerateChangeEmailTokenAsync(user, newEmail); await EmailSender.SendChangeEmailConfirmationAsync(newEmail, code, client); }