taldir

Directory service to resolve wallet mailboxes by messenger addresses
Log | Files | Refs | Submodules | README | LICENSE
commit e9c5cc54d9cfe3c97fa3c96aa296d2d27998f25b
parent bc7c627f5cae762e4bfa30f11e81013701d2d51a
Author: Martin Schanzenbach <schanzen@gnunet.org>
Date:   Sun, 17 Jul 2022 22:34:51 +0200

prevent automatic unlimited resend

Diffstat:

Mconfig/taldir-example.conf | 3+++


Mpkg/rest/taldir.go | 13+++++++++++--


2 files changed, 14 insertions(+), 2 deletions(-)

diff --git a/config/taldir-example.conf b/config/taldir-example.conf
@@ -24,15 +24,18 @@ validation_expiration = 24h
 sender = "taldir@taler.net"
 challenge_fee = KUDOS:0.5
 command = validate_email.sh
+allow_resend = true
 
 [taldir-phone]
 challenge_fee = KUDOS:5
 requires_payment = true
 command = validate_phone.sh
+allow_resend = false
 
 [taldir-twitter]
 challenge_fee = KUDOS:2
 command = taldir-validate-twitter
+allow_resend = true
 
 [taldir-pq]
 host = "localhost"
diff --git a/pkg/rest/taldir.go b/pkg/rest/taldir.go
@@ -197,6 +197,9 @@ type validation struct {
   // The activation code sent to the client
   Challenge string `json:"-"`
 
+  // The challenge has been sent already
+  ChallengeSent bool `json:"-"`
+
   // Public key of the user to register
   PublicKey string `json:"public_key"`
 
@@ -458,7 +461,6 @@ func (t *Taldir) registerRequest(w http.ResponseWriter, r *http.Request){
     validation.Duration = reqDuration.Microseconds()
   }
 
-  // FIXME: integer arithmetic
   fixedCost := t.Cfg.Section("taldir-" + vars["method"]).Key("challenge_fee").MustString("KUDOS:0")
   sliceDuration := time.Duration(validation.Duration * 1000)
   cost, err := util.CalculateCost(t.MonthlyFee,
@@ -509,7 +511,13 @@ func (t *Taldir) registerRequest(w http.ResponseWriter, r *http.Request){
     w.WriteHeader(500)
     return
   }
-
+  // Some validation methods are costly
+  // Require explicit whitelisting for a resend.
+  if validation.ChallengeSent &&
+     !t.Cfg.Section("taldir-" + vars["method"]).Key("allow_resend").MustBool(false) {
+    w.WriteHeader(202)
+    return
+  }
   if !t.Cfg.Section("taldir-" + vars["method"]).HasKey("command") {
     log.Fatal(err)
     t.Db.Delete(&validation)
@@ -531,6 +539,7 @@ func (t *Taldir) registerRequest(w http.ResponseWriter, r *http.Request){
     w.WriteHeader(500)
     return
   }
+  validation.ChallengeSent = true
   w.WriteHeader(202)
 }