fix(hub): use rfcEmail validator to allow IDN/Punycode email addresses (#1935)

valibot's email() action uses a domain-label regex that disallows the -- sequence, so Punycode ACE labels like xn--mnchen-3ya.de (the ASCII form of münchen.de) are incorrectly rejected. Switching to rfcEmail() applies the RFC 5321 domain-label pattern, which allows hyphens within labels and therefore accepts both standard and internationalized domain names.
2026-04-19 11:21:50 +02:00 · 2026-04-19 00:23:14 +08:00
parent a71617e058
commit cd9ea51039
2 changed files with 2 additions and 2 deletions
--- a/internal/site/src/components/login/auth-form.tsx
+++ b/internal/site/src/components/login/auth-form.tsx
@@ -17,7 +17,7 @@ import { toast } from "../ui/use-toast"
 import { OtpInputForm } from "./otp-forms"

 const honeypot = v.literal("")
-const emailSchema = v.pipe(v.string(), v.email(t`Invalid email address.`))
+const emailSchema = v.pipe(v.string(), v.rfcEmail(t`Invalid email address.`))
 const passwordSchema = v.pipe(
 	v.string(),
 	v.minLength(8, t`Password must be at least 8 characters.`),
--- a/internal/site/src/components/routes/settings/notifications.tsx
+++ b/internal/site/src/components/routes/settings/notifications.tsx
@@ -24,7 +24,7 @@ interface ShoutrrrUrlCardProps {
 }

 const NotificationSchema = v.object({
-	emails: v.array(v.pipe(v.string(), v.email())),
+	emails: v.array(v.pipe(v.string(), v.rfcEmail())),
 	webhooks: v.array(v.pipe(v.string(), v.url())),
 })