Prevent spamming emails by reusing client secret

Generate a client secret in the Signup class (if we don't already have one) and re-usae it for subsequent attempts to register, that way the IS can honour the sendAttempt flag and not re-send the email if we're just retrying and requestToken becomes idempotent.
2016-10-11 18:08:18 +01:00 · 2016-10-11 18:08:18 +01:00 · 6ffb7efc9b
parent 6ffddabaaa
commit 6ffb7efc9b
2 changed files with 13 additions and 1 deletions
--- a/src/Signup.js
+++ b/src/Signup.js
@ -130,6 +130,14 @@ class Register extends Signup {
        this.password = password;
        const client = this._createTemporaryClient();
        this.activeStage = null;
+
+        // If there hasn't been a client secret set by this point,
+        // generate one for this session. It will only be used if
+        // we do email verification, but far simpler to just make
+        // sure we have one.
+        if (!this.params.clientSecret) {
+            this.params.clientSecret = client.generateClientSecret();
+        }
        return this._tryRegister(client);
    }

--- a/src/SignupStages.js
+++ b/src/SignupStages.js
@ -158,7 +158,11 @@ class EmailIdentityStage extends Stage {
            return this._completeVerify();
        }

-        this.clientSecret = this.client.generateClientSecret();
+        this.clientSecret = this.signupInstance.params.clientSecret;
+        if (!this.clientSecret) {
+            return q.reject(new Error("No client secret specified by Signup class!"));
+        }
+
        var nextLink = this.signupInstance.params.registrationUrl +
                       '?client_secret=' +
                       encodeURIComponent(this.clientSecret) +