From 387267803967a5cb6d6387a54900ccd14dd26896 Mon Sep 17 00:00:00 2001
From: Leendert de Borst <ldeborst@xivisoft.com>
Date: Tue, 24 Dec 2024 22:20:44 +0100
Subject: [PATCH] Sanitize email when retrieving emails for emailbox (#190)

---
 src/AliasVault.Api/Controllers/Email/EmailBoxController.cs | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/src/AliasVault.Api/Controllers/Email/EmailBoxController.cs b/src/AliasVault.Api/Controllers/Email/EmailBoxController.cs
index ac4cdddc..776d2278 100644
--- a/src/AliasVault.Api/Controllers/Email/EmailBoxController.cs
+++ b/src/AliasVault.Api/Controllers/Email/EmailBoxController.cs
@@ -41,9 +41,11 @@ public async Task<IActionResult> GetEmailBox(string to)
             return Unauthorized("Not authenticated.");
         }
 
+        var sanitizedEmail = to.Trim().ToLower();
+
         // See if this user has a valid claim to the email address.
         var emailClaim = await context.UserEmailClaims
-            .FirstOrDefaultAsync(x => x.Address == to);
+            .FirstOrDefaultAsync(x => x.Address == sanitizedEmail);
 
         if (emailClaim is null)
         {
@@ -51,7 +53,7 @@ public async Task<IActionResult> GetEmailBox(string to)
             {
                 Message = "No claim exists for this email address.",
                 Code = "CLAIM_DOES_NOT_EXIST",
-                Details = new { ProvidedEmail = to },
+                Details = new { ProvidedEmail = sanitizedEmail },
                 StatusCode = StatusCodes.Status400BadRequest,
                 Timestamp = DateTime.UtcNow,
             });