From e4df728a04abecb983a29d0ffd2bb2c918540cbf Mon Sep 17 00:00:00 2001
From: ricola <ricola@poivron.org>
Date: Thu, 4 Dec 2025 17:41:28 -0600
Subject: [PATCH] Validate email address

---
 vedia.rb        | 32 ++++++++++++++++++++------------
 views/reset.erb |  8 ++++++++
 2 files changed, 28 insertions(+), 12 deletions(-)

diff --git a/vedia.rb b/vedia.rb
index a3ef682..d30fdaa 100644
--- a/vedia.rb
+++ b/vedia.rb
@@ -136,19 +136,27 @@ get '/reset' do
 end
 
 post '/reset' do
-  @user = User.find_by(email: params[:email])
-  if @user
-    @reset = SecureRandom.uuid
-    @user.reset = hash_password(@reset)
-    @user.save
-    mail = Mail.new
-    mail.from = settings.admin_email
-    mail.to = @user.email
-    mail.subject = _("Reset your password")
-    mail.body = erb :reset_email, :layout => false
-    mail.deliver
+  @errors = []
+  unless params[:email] =~ URI::MailTo::EMAIL_REGEXP
+    @errors << OpenStruct.new(:attribute => :email, :type => :invalid)
+  end
+  if not @errors.empty?
+    erb :reset
+  else
+    @user = User.find_by(email: params[:email])
+    if @user
+      @reset = SecureRandom.uuid
+      @user.reset = hash_password(@reset)
+      @user.save
+      mail = Mail.new
+      mail.from = settings.admin_email
+      mail.to = @user.email
+      mail.subject = _("Reset your password")
+      mail.body = erb :reset_email, :layout => false
+      mail.deliver
+    end
+    erb :reset_sent
   end
-  erb :reset_sent
 end
 
 get '/reset/:uuid' do
diff --git a/views/reset.erb b/views/reset.erb
index ae4bdc2..9853d71 100644
--- a/views/reset.erb
+++ b/views/reset.erb
@@ -1,5 +1,13 @@
 <h1 class="mb-5"><%= _("Reset password") %></h1>
 
+<% if @errors %>
+<% @errors.each do |error| %>
+  <% if error.attribute == :email and error.type == :invalid %>
+    <p class="alert alert-warning mb-4"><%= _("Enter an email address.") %></p>
+  <% end %>
+<% end %>
+<% end %>
+
 <form action="/reset" method="post">
   <div class="mb-3">
     <label for="email" class="form-label"><%= _("Email") %></label>