User Can be Created With Invalid Email Format

Problem statement

When attempting to sign up with a regular database connection, Auth0 uses the isEmail function provided by the validator npm package however, with a custom database sometimes it appears this validation does not occur and a string that does not meet the valid email format can be saved for the user.

Solution

The issue may occur if a custom database connection is created with the Management API and the connection is missing an options.strategy_version property.

If the options.strategy_version property has a value of 2 , it will validate the email and a tenant log with a message “DB Login Custom script: email “xxxxxx” is not valid, please update the import user script in the connection settings.” will appear. The connection can be patched with PATCH /api/v2/connections/{id} to have strategy_version: 2 included in the options object to gain the validation.