@mehul-m-prajapati
The authentication routes currently lack proper backend-side validation for user inputs such as:
email
username
password
During testing, I found that invalid email formats (without @) are accepted and stored in the database successfully.
Example:
email: 'likhisgowda2005gmail.com'
This indicates that request payloads are not being validated before database insertion.
Problem
Because validation is missing:
malformed email addresses are accepted
weak or invalid passwords can be submitted
username constraints are not enforced
inconsistent authentication behavior may occur
invalid user data can persist in the database
Steps to Reproduce
Open signup page
Register using invalid input values
Observe that registration succeeds
Check MongoDB records:
db.users.find()
Invalid data is stored successfully
Expected Behavior
Authentication routes should validate and sanitize incoming request payloads before processing or storing data.
Proposed Solution
Implement schema-based validation for authentication routes using Zod.
Suggested improvements:
validate email format
enforce password constraints
trim and validate usernames
return structured validation error responses
create reusable validation schemas for future routes
Affected Area
backend/routes/auth.js
authentication request handling
Additional Context
I would like to work on this issue under GSSoC 2026 if approved.
What browsers are you seeing the problem on?
No response
📃 Relevant Screenshots (Links)
@mehul-m-prajapati
The authentication routes currently lack proper backend-side validation for user inputs such as:
email
username
password
During testing, I found that invalid email formats (without @) are accepted and stored in the database successfully.
Example:
email: 'likhisgowda2005gmail.com'
This indicates that request payloads are not being validated before database insertion.
Problem
Because validation is missing:
malformed email addresses are accepted
weak or invalid passwords can be submitted
username constraints are not enforced
inconsistent authentication behavior may occur
invalid user data can persist in the database
Steps to Reproduce
Open signup page
Register using invalid input values
Observe that registration succeeds
Check MongoDB records:
db.users.find()
Invalid data is stored successfully
Expected Behavior
Authentication routes should validate and sanitize incoming request payloads before processing or storing data.
Proposed Solution
Implement schema-based validation for authentication routes using Zod.
Suggested improvements:
validate email format
enforce password constraints
trim and validate usernames
return structured validation error responses
create reusable validation schemas for future routes
Affected Area
backend/routes/auth.js
authentication request handling
Additional Context
I would like to work on this issue under GSSoC 2026 if approved.
What browsers are you seeing the problem on?
No response
📃 Relevant Screenshots (Links)