Email validations in MagicLinkController::LoginAction? What's the point?

[IvanNavarroSommerz]

Hi all, I'm fairly new here. In the MagicLinkController::LoginAction procedure there's a validation call for the email account and I do not see the point in it - this email account should already been validated and registered. Same happens at the LoginController I believe. I am going to just comment out those calls but I thought I should try to get some more info regarding this. Can someone comment? I appreciate the attention

[kenjis]

The security principle is that all user input should be validated before you use it.

Is the email validated during registration the same as the email sent to the Magic Link Controller?
No. An attacker can send any data to that controller.

[IvanNavarroSommerz]

I might be missing something, but I believe e-mail address validation rules are the same, they come from the the same config object. But yeah, agreed: "The security principle is that all user input should be validated before you use it."
I will stick to this. Thanks for the reply!

[kenjis]

Yes, the e-mail address validation rules are the same.

Normal users send their registered email address. However, there is a possibility that they may make a typo and send a strange string.

More importantly, an attacker can send any data. Binary data can also be sent.
Processing data that is not expected by developers may result in security bugs.
And there might be bugs in PHP.
So it is safe to detect invalid data as early as possible and avoid processing it.

In this case, there is no need to process anything that is formally invalid as an e-mail address.

[IvanNavarroSommerz]

You are absolutely right. I do appreciate your attention. Thanks.