From 5341cdfa8bf94c32d1b94067e5cd96b795afd111 Mon Sep 17 00:00:00 2001
From: nicktrn <55853254+nicktrn@users.noreply.github.com>
Date: Mon, 18 May 2026 17:07:04 +0100
Subject: [PATCH] fix: validate email format on magic link login

---
 .../magic-link-email-validation.md            |  6 ++++++
 apps/webapp/app/routes/login.magic/route.tsx  | 21 ++++++++++++++++---
 2 files changed, 24 insertions(+), 3 deletions(-)
 create mode 100644 .server-changes/magic-link-email-validation.md

diff --git a/.server-changes/magic-link-email-validation.md b/.server-changes/magic-link-email-validation.md
new file mode 100644
index 00000000000..f91ad60e94a
--- /dev/null
+++ b/.server-changes/magic-link-email-validation.md
@@ -0,0 +1,6 @@
+---
+area: webapp
+type: fix
+---
+
+Validate email format on the magic link login form.
diff --git a/apps/webapp/app/routes/login.magic/route.tsx b/apps/webapp/app/routes/login.magic/route.tsx
index 3ddbd47a4d0..06523b3d8c5 100644
--- a/apps/webapp/app/routes/login.magic/route.tsx
+++ b/apps/webapp/app/routes/login.magic/route.tsx
@@ -101,17 +101,32 @@ export async function action({ request }: ActionFunctionArgs) {
 
   const payload = Object.fromEntries(await clonedRequest.formData());
 
-  const data = z
+  const result = z
     .discriminatedUnion("action", [
       z.object({
         action: z.literal("send"),
-        email: z.string().trim().toLowerCase(),
+        email: z.string().trim().toLowerCase().email(),
       }),
       z.object({
         action: z.literal("reset"),
       }),
     ])
-    .parse(payload);
+    .safeParse(payload);
+
+  if (!result.success) {
+    const session = await getUserSession(request);
+    session.set("auth:error", {
+      message: "Please enter a valid email address.",
+    });
+
+    return redirect("/login/magic", {
+      headers: {
+        "Set-Cookie": await commitSession(session),
+      },
+    });
+  }
+
+  const data = result.data;
 
   switch (data.action) {
     case "send": {