-
Notifications
You must be signed in to change notification settings - Fork 648
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Email addresses should not be validated on login #6504
Comments
From what I understand, this is expected. environment:
PGADMIN_CONFIG_CHECK_EMAIL_DELIVERABILITY: "False"
PGADMIN_CONFIG_SECURITY_EMAIL_VALIDATOR_ARGS: "{\"check_deliverability\": CHECK_EMAIL_DELIVERABILITY}" Or using a config-local.py file: CHECK_EMAIL_DELIVERABILITY = False
SECURITY_EMAIL_VALIDATOR_ARGS = \
{"check_deliverability": CHECK_EMAIL_DELIVERABILITY} [Edit] the syntax of the email address should still be valid even with this, but that's acceptable IMO. |
I don't see this as expected behaviour. An upgrade should not invalidate previously working logins. Of course one can work around the issue, but that's not the point, really. As you pointed out, emailvalidator seems to allow to validate deliverability separately from syntactic correctness (which might be an actually necessary check, to determine if it's a username or an email). As deliverability of an email is not a factor when logging in, it should not be put into consideration. Such validation should only happen on registration and possibly password recovery (and there it should produce a meaningful error message separate from "invalid email"). |
@GuillaumeRossolini check deliverability is False by default, below is the default setting:
|
@adityatoshniwal I hadn't seen that, thanks for pointing it out. I had lots of trouble with v5.4 at the time, and I didn't see that 5.5 fixed it. Still, the hardening of the email syntax check isn't obvious, especially in a minor release (which is probably the issue here). I mostly agree with @immanuel-h, that was a very confusing issue when it happened to me. It was sort-of documented in the changelog for a minor release, under a seemingly unrelated name:
|
@GuillaumeRossolini so this actually comes from flask-security-too? Should I raise a defect with them then? |
Yes that's where this change comes from I don't imagine the folks at flask-security-too would be interested, since their change happened over a major milestone (v4.0.0, I think?). You can expect backwards compatibility issues for major versions. Perhaps simply, as you suggested, a message in pgadmin's logs? There is in fact a helpful log message if you start the server with an invalid admin email address (in my case with the Docker image): environment:
PGADMIN_DEFAULT_EMAIL: pgadmin@localhost
If I rectify the PGADMIN_DEFAULT_EMAIL environment by appending a ".net" then the server starts successfully, but logging in without the ".net" suffix doesn't provide any help to the end user or the instance admin. At no point in the startup sequence did such a message appear either. [Edit] Looks like the actual change comes from pypi in flask-security v4, at the time it was bumped for pgadmin v5.4
|
Seems like an unintentional side effect to me then. I.e. the change just is about storing, not validating on login. I'll make a ticket and see what comes of it. |
Nice, flask-security fixed the issue and it should be part of their next release :) |
@immanuel-h I’m not sure what the schedule is to update this dependency, might have to open a new issue after upstream has tagged their release? No clue |
They have only disabled deliverability check. |
You also cannot log in if pgadmin thinks it's an invalid email address, in my case it contains a |
A syntactically valid email is required. |
Hi @immanuel-h, |
The + symbol in an email address is absolutely valid. |
Hi, nope looks like the problem persists. Just to have it documented, my personal workaround is having this in my config_.local.py:
guess I'll reopen that ticket over at flask_security ... |
This is drawing bigger and bigger circles lol. After some browsing code it can be tracked down to |
The only comprehensive way to validate an email address is to send a secret to that address and to ask for that secret in the UI. Anything else will fail for one reason or another. I'm not even sure that pgadmin needs to be able to send emails? I for one, am using it locally with no chance that anyone else can log in, and I have no need for the email part. Pgadmin wouldn't be able to send an email from my system anyway, so it's pointless. |
@GuillaumeRossolini we are all on the same page here ... and so are the upstream packages that actually need to touch code as far as I know :) The "problem" is that many other users of flask_security do need to send emails, as well as that it absolutely does make sense to normalize email addresses before storing them (which is why they use email-validator). |
This is not a pgAdmin bug. You can change the behaviour as per your need using config. |
I'm running into a similar issue with this and would suggest that this is not resolved, @adityatoshniwal In my experience the validation should not be doing checking on a valid FQDN, as highlighted by @GuillaumeRossolini in #6504 (comment) - or if it does then there should be functionality to override this. The suggested fixes above of I am working on a project which has a use case for a login which is completely local and isolated from the internet, but the login itself will only be a local login and so there is justification for a I am using PGAdmin I would suggest that there is a bug in PGAdmin as there is a forced action to use a FQDN, and allowing use of Here is a snippet from my
It's also worth mentioning that the login page also says that you should enter an "Email Address / Username", however unless I'm mistaken there doesn't seem to be any way to just use a |
@AlexWinder Please check my comment here - #6222 (comment) |
@adityatoshniwal Thanks for the speedy reply. I've tried the suggesting in your comment however I'm still having the same issues where
I've tried both mapping to Any ideas? |
@adityatoshniwal Ignore my above message. I've found what the issue was. I was mapping to the wrong directory. I can now use It's worth me mentioning that the documentation of where to put For the purpose of completeness my
|
HI @AlexWinder, |
I think we should include this snippet in core code itself and provide one config var to allow special use domain names. That way, simply passing an env var should be enough. |
Describe the bug
Email addresses are validated on login, which means that previously valid logins become invalid when upgrading pgadmin.
To Reproduce
Steps to reproduce the behavior:
Expected behavior
The user should be able to login
Error message
"Invalid username or password" is shown.
Why this is problematic?
The text was updated successfully, but these errors were encountered: