Trim whitespace from user-input

cmd/server/assets/login/change-password.html

@@ -88,7 +88,7 @@
       });
 
       function changePassword() {
-        let email = $email.val();
+        let email = $email.val().trim();
         let pwd = $password.val();
         if (pwd != $retype.val()) {
           flash.error("Password and retyped passwords must match.");

cmd/server/assets/login/login.html

@@ -104,7 +104,7 @@
         $submit.prop('disabled', true);
 
         {{if .currentUser}}
-        let credentials = firebase.auth.EmailAuthProvider.credential($email.val(),$password.val());
+        let credentials = firebase.auth.EmailAuthProvider.credential($email.val().trim(),$password.val());
         firebase.auth().currentUser.reauthenticateWithCredential(credentials)
         {{else}}
         firebase.auth().signInWithEmailAndPassword($email.val(), $password.val())
@@ -153,7 +153,7 @@
         $submitPin.prop('disabled', true);
 
         // Ask user for the SMS verification code.
-        let cred = firebase.auth.PhoneAuthProvider.credential(verId, $pin.val());
+        let cred = firebase.auth.PhoneAuthProvider.credential(verId, $pin.val().trim());
         let multiFactorAssertion = firebase.auth.PhoneMultiFactorGenerator.assertion(cred);
         // Complete sign-in.
         resolver.resolveSignIn(multiFactorAssertion)

cmd/server/assets/login/register-phone.html

@@ -236,7 +236,7 @@
         // Disable the submit button so we only attempt once.
         $submitPin.prop('disabled', true);
 
-        var cred = firebase.auth.PhoneAuthProvider.credential(verId, $pin.val());
+        var cred = firebase.auth.PhoneAuthProvider.credential(verId, $pin.val().trim());
         var multiFactorAssertion = firebase.auth.PhoneMultiFactorGenerator.assertion(cred);
 
         // Complete enrollment.

pkg/controller/admin/users.go

@@ -17,6 +17,7 @@ package admin
 import (
 	"context"
 	"net/http"
+	"strings"
 
 	"github.com/google/exposure-notifications-verification-server/pkg/controller"
 	"github.com/google/exposure-notifications-verification-server/pkg/database"
@@ -71,10 +72,13 @@ func (c *Controller) HandleUsersCreate() http.Handler {
 		}
 
 		var form FormData
-		if err := controller.BindForm(w, r, &form); err != nil {
+		err := controller.BindForm(w, r, &form)
+		email := strings.TrimSpace(form.Email)
+		name := strings.TrimSpace(form.Name)
+		if err != nil {
 			user := &database.User{
-				Email: form.Email,
-				Name:  form.Name,
+				Email: email,
+				Name:  name,
 			}
 
 			flash.Error("Failed to process form: %v", err)
@@ -83,7 +87,7 @@ func (c *Controller) HandleUsersCreate() http.Handler {
 		}
 
 		// See if the user already exists and use that record.
-		user, err := c.db.FindUserByEmail(form.Email)
+		user, err := c.db.FindUserByEmail(email)
 		if err != nil {
 			if !database.IsNotFound(err) {
 				controller.InternalError(w, r, c.h, err)
@@ -92,8 +96,8 @@ func (c *Controller) HandleUsersCreate() http.Handler {
 
 			// User does not exist, create a new one.
 			user = &database.User{
-				Name:  form.Name,
-				Email: form.Email,
+				Name:  name,
+				Email: email,
 			}
 		}
 

pkg/controller/login/reset_password.go

@@ -19,6 +19,7 @@ import (
 	"context"
 	"errors"
 	"net/http"
+	"strings"
 
 	"github.com/google/exposure-notifications-verification-server/internal/firebase"
 	"github.com/google/exposure-notifications-verification-server/pkg/controller"
@@ -55,7 +56,7 @@ func (c *Controller) HandleSubmitResetPassword() http.Handler {
 			return
 		}
 
-		if err := c.firebaseInternal.SendPasswordResetEmail(ctx, form.Email); err != nil {
+		if err := c.firebaseInternal.SendPasswordResetEmail(ctx, strings.TrimSpace(form.Email)); err != nil {
 			// Treat not-found like success so we don't leak details.
 			if !errors.Is(err, firebase.ErrEmailNotFound) {
 				flash.Error("Password reset failed.")

pkg/controller/login/select_password.go

@@ -20,6 +20,7 @@ import (
 	"errors"
 	"fmt"
 	"net/http"
+	"strings"
 	"time"
 	"unicode"
 
@@ -90,25 +91,26 @@ func (c *Controller) HandleSubmitNewPassword() http.Handler {
 			c.renderShowSelectPassword(ctx, w, "", code, false, flash)
 			return
 		}
+		email := strings.TrimSpace(form.Email)
 
 		if err := c.validateComplexity(form.Password); err != nil {
 			flash.Error("Select password failed: %v", err)
-			c.renderShowSelectPassword(ctx, w, form.Email, code, false, flash)
+			c.renderShowSelectPassword(ctx, w, email, code, false, flash)
 			return
 		}
 
 		if _, err := c.firebaseInternal.ChangePasswordWithCode(ctx, code, form.Password); err != nil {
 			if errors.Is(err, firebase.ErrInvalidOOBCode) || errors.Is(err, firebase.ErrExpiredOOBCode) {
 				flash.Error("The action code is invalid. This can happen if the code is malformed, expired, or has already been used.")
-				c.renderShowSelectPassword(ctx, w, form.Email, code, true, flash)
+				c.renderShowSelectPassword(ctx, w, email, code, true, flash)
 			} else {
 				flash.Error("Select password failed. %v", err)
-				c.renderShowSelectPassword(ctx, w, form.Email, code, false, flash)
+				c.renderShowSelectPassword(ctx, w, email, code, false, flash)
 			}
 			return
 		}
 
-		if err := c.db.PasswordChanged(form.Email, time.Now()); err != nil {
+		if err := c.db.PasswordChanged(email, time.Now()); err != nil {
 			logger.Errorw("failed to mark password change time", "error", err)
 		}
 

pkg/controller/user/create.go

@@ -17,6 +17,7 @@ package user
 import (
 	"context"
 	"net/http"
+	"strings"
 
 	"github.com/google/exposure-notifications-verification-server/pkg/controller"
 	"github.com/google/exposure-notifications-verification-server/pkg/database"
@@ -63,18 +64,19 @@ func (c *Controller) HandleCreate() http.Handler {
 			c.renderNew(ctx, w)
 			return
 		}
+		email := strings.TrimSpace(form.Email)
 
 		// See if the user already exists by email - they may be a member of another
 		// realm.
-		user, err := c.db.FindUserByEmail(form.Email)
+		user, err := c.db.FindUserByEmail(email)
 		if err != nil {
 			if !database.IsNotFound(err) {
 				controller.InternalError(w, r, c.h, err)
 				return
 			}
 
 			user = new(database.User)
-			user.Email = form.Email
+			user.Email = email
 			user.Name = form.Name
 		}
 

pkg/controller/user/update.go

@@ -17,6 +17,7 @@ package user
 import (
 	"context"
 	"net/http"
+	"strings"
 
 	"github.com/google/exposure-notifications-verification-server/pkg/controller"
 	"github.com/google/exposure-notifications-verification-server/pkg/database"
@@ -72,10 +73,12 @@ func (c *Controller) HandleUpdate() http.Handler {
 		}
 
 		var form FormData
-		if err := controller.BindForm(w, r, &form); err != nil {
-			user.Email = form.Email
-			user.Name = form.Name
+		err = controller.BindForm(w, r, &form)
 
+		// Build the user struct
+		user.Email = strings.TrimSpace(form.Email)
+		user.Name = strings.TrimSpace(form.Name)
+		if err != nil {
 			if terr, ok := err.(schema.MultiError); ok {
 				for k, err := range terr {
 					user.AddError(k, err.Error())
@@ -87,10 +90,6 @@ func (c *Controller) HandleUpdate() http.Handler {
 			return
 		}
 
-		// Build the user struct
-		user.Email = form.Email
-		user.Name = form.Name
-
 		// Manage realm admin permissions.
 		if form.Admin {
 			user.AddRealmAdmin(realm)