Prevent spamming emails by reusing client secret
Generate a client secret in the Signup class (if we don't already have one) and re-usae it for subsequent attempts to register, that way the IS can honour the sendAttempt flag and not re-send the email if we're just retrying and requestToken becomes idempotent.
This commit is contained in:
David Baker
parent
6ffddabaaa
commit
6ffb7efc9b
2 changed files with 13 additions and 1 deletions
|
|
@ -130,6 +130,14 @@ class Register extends Signup {
|
||||||
this.password = password;
|
this.password = password;
|
||||||
const client = this._createTemporaryClient();
|
const client = this._createTemporaryClient();
|
||||||
this.activeStage = null;
|
this.activeStage = null;
|
||||||
|
|
||||||
|
// If there hasn't been a client secret set by this point,
|
||||||
|
// generate one for this session. It will only be used if
|
||||||
|
// we do email verification, but far simpler to just make
|
||||||
|
// sure we have one.
|
||||||
|
if (!this.params.clientSecret) {
|
||||||
|
this.params.clientSecret = client.generateClientSecret();
|
||||||
|
}
|
||||||
return this._tryRegister(client);
|
return this._tryRegister(client);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -158,7 +158,11 @@ class EmailIdentityStage extends Stage {
|
||||||
return this._completeVerify();
|
return this._completeVerify();
|
||||||
}
|
}
|
||||||
|
|
||||||
this.clientSecret = this.client.generateClientSecret();
|
this.clientSecret = this.signupInstance.params.clientSecret;
|
||||||
|
if (!this.clientSecret) {
|
||||||
|
return q.reject(new Error("No client secret specified by Signup class!"));
|
||||||
|
}
|
||||||
|
|
||||||
var nextLink = this.signupInstance.params.registrationUrl +
|
var nextLink = this.signupInstance.params.registrationUrl +
|
||||||
'?client_secret=' +
|
'?client_secret=' +
|
||||||
encodeURIComponent(this.clientSecret) +
|
encodeURIComponent(this.clientSecret) +
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue