From e21092010ab83a2670c66c5fb2a25db4527250a8 Mon Sep 17 00:00:00 2001
From: Melissa Autumn <melissa@thunderbird.net>
Date: Tue, 3 Sep 2024 10:44:29 -0700
Subject: [PATCH] Enforce EmailStr for email fields on waiting list, and fix
 emails with unicode characters.

---
 backend/src/appointment/controller/mailer.py  |  2 +-
 backend/src/appointment/database/schemas.py   |  4 ++--
 backend/test/integration/test_waiting_list.py | 15 +++++++++++++++
 3 files changed, 18 insertions(+), 3 deletions(-)

diff --git a/backend/src/appointment/controller/mailer.py b/backend/src/appointment/controller/mailer.py
index 5ca2251f7..1fe739ae3 100644
--- a/backend/src/appointment/controller/mailer.py
+++ b/backend/src/appointment/controller/mailer.py
@@ -100,7 +100,7 @@ def build(self):
                 filename=a.filename
             )
 
-        return message.as_string()
+        return message.as_string().encode('utf-8')
 
     def send(self):
         """actually send the email"""
diff --git a/backend/src/appointment/database/schemas.py b/backend/src/appointment/database/schemas.py
index 3956d9653..aed98e24a 100644
--- a/backend/src/appointment/database/schemas.py
+++ b/backend/src/appointment/database/schemas.py
@@ -392,11 +392,11 @@ class TokenData(BaseModel):
 
 
 class SendInviteEmailIn(BaseModel):
-    email: str = Field(title='Email', min_length=1)
+    email: EmailStr = Field(title='Email', min_length=1)
 
 
 class JoinTheWaitingList(BaseModel):
-    email: str = Field(title='Email', min_length=1)
+    email: EmailStr = Field(title='Email', min_length=1)
 
 
 class TokenForWaitingList(BaseModel):
diff --git a/backend/test/integration/test_waiting_list.py b/backend/test/integration/test_waiting_list.py
index e0ccf08c4..f1d8f17dd 100644
--- a/backend/test/integration/test_waiting_list.py
+++ b/backend/test/integration/test_waiting_list.py
@@ -50,6 +50,21 @@ def test_already_in_list(self, with_db, with_client, make_waiting_list):
             # Ensure we did not send out an email
             mock.assert_not_called()
 
+    def test_bad_emails(self, with_db, with_client, make_waiting_list):
+        # Variety of bad emails
+        emails = ['', 'test', 'test@', '@example.org']
+
+        for email in emails:
+            with patch('fastapi.BackgroundTasks.add_task') as mock:
+                response = with_client.post('/waiting-list/join', json={'email': email})
+
+                # Ensure we hit the email validation error
+                assert response.status_code == 422, response.json()
+                assert 'value is not a valid email address' in response.json()['detail'][0]['msg']
+
+                # Ensure we did not send out an email
+                mock.assert_not_called()
+
 
 class TestWaitingListActionConfirm:
     def assert_email_verified(self, db, waiting_list, success=True):