From 6ffb7efc9bb136d3b65382375cb62ce53169e3cf Mon Sep 17 00:00:00 2001 From: David Baker Date: Tue, 11 Oct 2016 18:08:18 +0100 Subject: [PATCH] Prevent spamming emails by reusing client secret Generate a client secret in the Signup class (if we don't already have one) and re-usae it for subsequent attempts to register, that way the IS can honour the sendAttempt flag and not re-send the email if we're just retrying and requestToken becomes idempotent. --- src/Signup.js | 8 ++++++++ src/SignupStages.js | 6 +++++- 2 files changed, 13 insertions(+), 1 deletion(-) diff --git a/src/Signup.js b/src/Signup.js index 18d338cc32..13cb9b47fd 100644 --- a/src/Signup.js +++ b/src/Signup.js @@ -130,6 +130,14 @@ class Register extends Signup { this.password = password; const client = this._createTemporaryClient(); this.activeStage = null; + + // If there hasn't been a client secret set by this point, + // generate one for this session. It will only be used if + // we do email verification, but far simpler to just make + // sure we have one. + if (!this.params.clientSecret) { + this.params.clientSecret = client.generateClientSecret(); + } return this._tryRegister(client); } diff --git a/src/SignupStages.js b/src/SignupStages.js index 2b0d163a08..8ae61f1a7d 100644 --- a/src/SignupStages.js +++ b/src/SignupStages.js @@ -158,7 +158,11 @@ class EmailIdentityStage extends Stage { return this._completeVerify(); } - this.clientSecret = this.client.generateClientSecret(); + this.clientSecret = this.signupInstance.params.clientSecret; + if (!this.clientSecret) { + return q.reject(new Error("No client secret specified by Signup class!")); + } + var nextLink = this.signupInstance.params.registrationUrl + '?client_secret=' + encodeURIComponent(this.clientSecret) +