Merge pull request #5071 from matrix-org/babolivier/3pid-check

Make sure we're not registering the same 3pid twice
2019-04-17 14:37:42 +01:00 · 2019-04-17 14:37:42 +01:00 · 49ff74da9b
parent fd2fcb817c 600ec04739
commit 49ff74da9b
2 changed files with 19 additions and 0 deletions
--- a/changelog.d/5071.bugfix
+++ b/changelog.d/5071.bugfix
@ -0,0 +1 @@
+Make sure we're not registering the same 3pid twice on registration.
--- a/synapse/rest/client/v2_alpha/register.py
+++ b/synapse/rest/client/v2_alpha/register.py
@ -391,6 +391,13 @@ class RegisterRestServlet(RestServlet):
        # the user-facing checks will probably already have happened in
        # /register/email/requestToken when we requested a 3pid, but that's not
        # guaranteed.
+        #
+        # Also check that we're not trying to register a 3pid that's already
+        # been registered.
+        #
+        # This has probably happened in /register/email/requestToken as well,
+        # but if a user hits this endpoint twice then clicks on each link from
+        # the two activation emails, they would register the same 3pid twice.

        if auth_result:
            for login_type in [LoginType.EMAIL_IDENTITY, LoginType.MSISDN]:
@ -406,6 +413,17 @@ class RegisterRestServlet(RestServlet):
                            Codes.THREEPID_DENIED,
                        )

+                    existingUid = yield self.store.get_user_id_by_threepid(
+                        medium, address,
+                    )
+
+                    if existingUid is not None:
+                        raise SynapseError(
+                            400,
+                            "%s is already in use" % medium,
+                            Codes.THREEPID_IN_USE,
+                        )
+
        if registered_user_id is not None:
            logger.info(
                "Already registered user ID %r for this session",
				`@ -0,0 +1 @@`
				`Make sure we're not registering the same 3pid twice on registration.`