From e6d742f92e5352ac01b2b8fec94c06e812a3d741 Mon Sep 17 00:00:00 2001
From: Steve Dogiakos <dogiakos@gmail.com>
Date: Mon, 9 Mar 2026 20:36:54 -0600
Subject: [PATCH] fix: replace regex email validation with email-validator
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Swap hand-rolled regex for the email-validator library which handles
RFC 5322 edge cases correctly. check_deliverability=False skips DNS
lookups (not viable on an intranet). Blank email still passes — only
a non-empty, malformed address triggers the error.
---
 app.py           | 10 ++++++----
 requirements.txt |  1 +
 2 files changed, 7 insertions(+), 4 deletions(-)

diff --git a/app.py b/app.py
index d4f61cc..cdc0025 100644
--- a/app.py
+++ b/app.py
@@ -1,8 +1,8 @@
 from flask import Flask, render_template, request, redirect, url_for, jsonify, abort
 from flask_limiter import Limiter
 from flask_limiter.util import get_remote_address
+from email_validator import validate_email, EmailNotValidError
 import sqlite3
-import re
 import logging
 import os
 
@@ -67,9 +67,11 @@ def init_db():
     logger.info("Database initialized.")
 
 def is_valid_email(email):
-    # TODO: This regex allows edge cases like consecutive dots and leading/trailing hyphens. Consider using the `email-validator` package.
-    pattern = r'^[\w\.-]+@[\w\.-]+\.\w+$'
-    return re.match(pattern, email)
+    try:
+        validate_email(email, check_deliverability=False)
+        return True
+    except EmailNotValidError:
+        return False
 
 with app.app_context():
     init_db()
diff --git a/requirements.txt b/requirements.txt
index e8afb9a..c6e3ce5 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -1,4 +1,5 @@
 Flask>=3.1.3
 Werkzeug>=3.0.6
 Flask-Limiter>=3.0
+email-validator>=2.0
 gunicorn
\ No newline at end of file