fix(auth): reject login attempts with bare usernames and enforce domain validation#268
Conversation
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request updates the authentication process to require email-based identities, rejecting bare usernames. It refactors domain validation to compare the login domain against domains derived from the identity provider or organizational units. Integration and unit tests have been updated to enforce these requirements. Feedback was provided regarding a redundant check for an empty email string that can be removed to simplify the code.
| if email == "" { | ||
| log.Printf("LOGIN: unable to resolve mailbox email from login '%s' and auth id '%s'", username, authResp.ID) | ||
| log.Printf("LOGIN: unable to resolve mailbox email from login '%s'", loginEmail) | ||
| deps.SendResponse(conn, fmt.Sprintf("%s NO [AUTHENTICATIONFAILED] Authentication failed", tag)) | ||
| return | ||
| } |
There was a problem hiding this comment.
This check for an empty email is redundant. The loginEmail variable, from which email is assigned, is validated at the beginning of the authenticateUser function (lines 405-410) to ensure it's not an empty string. Therefore, this block of code is unreachable and can be removed to improve clarity.
1 participant
📌 Description
This PR is to enforce to send email address when logging in.
🔍 Changes Made
✅ Checklist (Email System)
LOGIN,CAPABILITY,LIST,SELECT,FETCH,LOGOUT).🧪 Testing Instructions
To test the server, use the instructions in the README in the
testdirectory.📷 Screenshots / Logs (if applicable)