Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

(authentication/configuration/restrictions): update block email subaddress behavior #1645

Merged
merged 2 commits into from
Oct 23, 2024

Conversation

NicolasLopes7
Copy link
Contributor

@NicolasLopes7 NicolasLopes7 commented Oct 23, 2024

Important

🔎 Previews:

Explanation:

We're changing how the block email subaddress restriction works.

Before:

[email protected] would be blocked, as the e-mail contains a +

Now:

🧑‍🦱 A legit user trying to be organized with their mailbox:

  • I want to sign up for a new bank that uses Clerk.
  • I sign up with an email containing a subaddress: [email protected].
  • ✅ Sign-up should be successful.

🎩 An attacker trying to abuse subaddressing:

  • They sign up with the first account: [email protected].
  • ✅ Sign-up is successful.
  • Now they try to sign up again with [email protected].
  • ❌ The attempt fails because the same canonical identifier already exists.

Copy link

Hey, here’s your docs preview: https://clerk.com/docs/pr/1645

@victoriaxyz victoriaxyz self-requested a review October 23, 2024 14:49
@NicolasLopes7 NicolasLopes7 merged commit 29e7817 into main Oct 23, 2024
4 checks passed
@NicolasLopes7 NicolasLopes7 deleted the nicolas/orgs-252 branch October 23, 2024 17:37
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants