2021-11-11 10:03:30 +03:00
|
|
|
// Copyright 2016 The Gogs Authors. All rights reserved.
|
|
|
|
// Copyright 2020 The Gitea Authors. All rights reserved.
|
2022-11-27 21:20:29 +03:00
|
|
|
// SPDX-License-Identifier: MIT
|
2021-11-11 10:03:30 +03:00
|
|
|
|
|
|
|
package user
|
|
|
|
|
|
|
|
import (
|
|
|
|
"context"
|
|
|
|
"fmt"
|
|
|
|
"net/mail"
|
2022-03-14 20:39:54 +03:00
|
|
|
"regexp"
|
2021-11-11 10:03:30 +03:00
|
|
|
"strings"
|
|
|
|
|
|
|
|
"code.gitea.io/gitea/models/db"
|
2021-11-28 17:11:58 +03:00
|
|
|
"code.gitea.io/gitea/modules/base"
|
2021-11-11 10:03:30 +03:00
|
|
|
"code.gitea.io/gitea/modules/log"
|
|
|
|
"code.gitea.io/gitea/modules/setting"
|
2021-11-28 17:11:58 +03:00
|
|
|
"code.gitea.io/gitea/modules/util"
|
2023-08-30 18:46:49 +03:00
|
|
|
"code.gitea.io/gitea/modules/validation"
|
2021-11-11 10:03:30 +03:00
|
|
|
|
|
|
|
"xorm.io/builder"
|
|
|
|
)
|
|
|
|
|
2022-01-20 20:46:10 +03:00
|
|
|
// ErrEmailNotActivated e-mail address has not been activated error
|
2022-12-31 14:49:37 +03:00
|
|
|
var ErrEmailNotActivated = util.NewInvalidArgumentErrorf("e-mail address has not been activated")
|
2022-03-14 20:39:54 +03:00
|
|
|
|
|
|
|
// ErrEmailCharIsNotSupported e-mail address contains unsupported character
|
|
|
|
type ErrEmailCharIsNotSupported struct {
|
|
|
|
Email string
|
|
|
|
}
|
|
|
|
|
|
|
|
// IsErrEmailCharIsNotSupported checks if an error is an ErrEmailCharIsNotSupported
|
|
|
|
func IsErrEmailCharIsNotSupported(err error) bool {
|
|
|
|
_, ok := err.(ErrEmailCharIsNotSupported)
|
|
|
|
return ok
|
|
|
|
}
|
|
|
|
|
|
|
|
func (err ErrEmailCharIsNotSupported) Error() string {
|
|
|
|
return fmt.Sprintf("e-mail address contains unsupported character [email: %s]", err.Email)
|
|
|
|
}
|
2021-11-11 10:03:30 +03:00
|
|
|
|
2022-10-18 08:50:37 +03:00
|
|
|
func (err ErrEmailCharIsNotSupported) Unwrap() error {
|
|
|
|
return util.ErrInvalidArgument
|
|
|
|
}
|
|
|
|
|
2021-11-11 10:03:30 +03:00
|
|
|
// ErrEmailInvalid represents an error where the email address does not comply with RFC 5322
|
2022-10-12 05:44:09 +03:00
|
|
|
// or has a leading '-' character
|
2021-11-11 10:03:30 +03:00
|
|
|
type ErrEmailInvalid struct {
|
|
|
|
Email string
|
|
|
|
}
|
|
|
|
|
|
|
|
// IsErrEmailInvalid checks if an error is an ErrEmailInvalid
|
|
|
|
func IsErrEmailInvalid(err error) bool {
|
|
|
|
_, ok := err.(ErrEmailInvalid)
|
|
|
|
return ok
|
|
|
|
}
|
|
|
|
|
|
|
|
func (err ErrEmailInvalid) Error() string {
|
|
|
|
return fmt.Sprintf("e-mail invalid [email: %s]", err.Email)
|
|
|
|
}
|
|
|
|
|
2022-10-18 08:50:37 +03:00
|
|
|
func (err ErrEmailInvalid) Unwrap() error {
|
|
|
|
return util.ErrInvalidArgument
|
|
|
|
}
|
|
|
|
|
2021-11-11 10:03:30 +03:00
|
|
|
// ErrEmailAlreadyUsed represents a "EmailAlreadyUsed" kind of error.
|
|
|
|
type ErrEmailAlreadyUsed struct {
|
|
|
|
Email string
|
|
|
|
}
|
|
|
|
|
|
|
|
// IsErrEmailAlreadyUsed checks if an error is a ErrEmailAlreadyUsed.
|
|
|
|
func IsErrEmailAlreadyUsed(err error) bool {
|
|
|
|
_, ok := err.(ErrEmailAlreadyUsed)
|
|
|
|
return ok
|
|
|
|
}
|
|
|
|
|
|
|
|
func (err ErrEmailAlreadyUsed) Error() string {
|
|
|
|
return fmt.Sprintf("e-mail already in use [email: %s]", err.Email)
|
|
|
|
}
|
|
|
|
|
2022-10-18 08:50:37 +03:00
|
|
|
func (err ErrEmailAlreadyUsed) Unwrap() error {
|
|
|
|
return util.ErrAlreadyExist
|
|
|
|
}
|
|
|
|
|
2021-11-11 10:03:30 +03:00
|
|
|
// ErrEmailAddressNotExist email address not exist
|
|
|
|
type ErrEmailAddressNotExist struct {
|
|
|
|
Email string
|
|
|
|
}
|
|
|
|
|
|
|
|
// IsErrEmailAddressNotExist checks if an error is an ErrEmailAddressNotExist
|
|
|
|
func IsErrEmailAddressNotExist(err error) bool {
|
|
|
|
_, ok := err.(ErrEmailAddressNotExist)
|
|
|
|
return ok
|
|
|
|
}
|
|
|
|
|
|
|
|
func (err ErrEmailAddressNotExist) Error() string {
|
|
|
|
return fmt.Sprintf("Email address does not exist [email: %s]", err.Email)
|
|
|
|
}
|
|
|
|
|
2022-10-18 08:50:37 +03:00
|
|
|
func (err ErrEmailAddressNotExist) Unwrap() error {
|
|
|
|
return util.ErrNotExist
|
|
|
|
}
|
|
|
|
|
2021-11-11 10:03:30 +03:00
|
|
|
// ErrPrimaryEmailCannotDelete primary email address cannot be deleted
|
|
|
|
type ErrPrimaryEmailCannotDelete struct {
|
|
|
|
Email string
|
|
|
|
}
|
|
|
|
|
|
|
|
// IsErrPrimaryEmailCannotDelete checks if an error is an ErrPrimaryEmailCannotDelete
|
|
|
|
func IsErrPrimaryEmailCannotDelete(err error) bool {
|
|
|
|
_, ok := err.(ErrPrimaryEmailCannotDelete)
|
|
|
|
return ok
|
|
|
|
}
|
|
|
|
|
|
|
|
func (err ErrPrimaryEmailCannotDelete) Error() string {
|
|
|
|
return fmt.Sprintf("Primary email address cannot be deleted [email: %s]", err.Email)
|
|
|
|
}
|
|
|
|
|
2022-10-18 08:50:37 +03:00
|
|
|
func (err ErrPrimaryEmailCannotDelete) Unwrap() error {
|
|
|
|
return util.ErrInvalidArgument
|
|
|
|
}
|
|
|
|
|
2021-11-11 10:03:30 +03:00
|
|
|
// EmailAddress is the list of all email addresses of a user. It also contains the
|
|
|
|
// primary email address which is saved in user table.
|
|
|
|
type EmailAddress struct {
|
|
|
|
ID int64 `xorm:"pk autoincr"`
|
|
|
|
UID int64 `xorm:"INDEX NOT NULL"`
|
|
|
|
Email string `xorm:"UNIQUE NOT NULL"`
|
|
|
|
LowerEmail string `xorm:"UNIQUE NOT NULL"`
|
|
|
|
IsActivated bool
|
|
|
|
IsPrimary bool `xorm:"DEFAULT(false) NOT NULL"`
|
|
|
|
}
|
|
|
|
|
|
|
|
func init() {
|
|
|
|
db.RegisterModel(new(EmailAddress))
|
|
|
|
}
|
|
|
|
|
|
|
|
// BeforeInsert will be invoked by XORM before inserting a record
|
|
|
|
func (email *EmailAddress) BeforeInsert() {
|
|
|
|
if email.LowerEmail == "" {
|
|
|
|
email.LowerEmail = strings.ToLower(email.Email)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2022-03-14 20:39:54 +03:00
|
|
|
var emailRegexp = regexp.MustCompile("^[a-zA-Z0-9.!#$%&'*+-/=?^_`{|}~]*@[a-zA-Z0-9](?:[a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?(?:\\.[a-zA-Z0-9](?:[a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?)*$")
|
|
|
|
|
2021-11-11 10:03:30 +03:00
|
|
|
// ValidateEmail check if email is a allowed address
|
|
|
|
func ValidateEmail(email string) error {
|
|
|
|
if len(email) == 0 {
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
2022-03-14 20:39:54 +03:00
|
|
|
if !emailRegexp.MatchString(email) {
|
|
|
|
return ErrEmailCharIsNotSupported{email}
|
|
|
|
}
|
|
|
|
|
2022-10-12 05:44:09 +03:00
|
|
|
if email[0] == '-' {
|
2022-03-14 20:39:54 +03:00
|
|
|
return ErrEmailInvalid{email}
|
|
|
|
}
|
|
|
|
|
2021-11-11 10:03:30 +03:00
|
|
|
if _, err := mail.ParseAddress(email); err != nil {
|
|
|
|
return ErrEmailInvalid{email}
|
|
|
|
}
|
|
|
|
|
2023-08-30 18:46:49 +03:00
|
|
|
// if there is no allow list, then check email against block list
|
|
|
|
if len(setting.Service.EmailDomainAllowList) == 0 &&
|
|
|
|
validation.IsEmailDomainListed(setting.Service.EmailDomainBlockList, email) {
|
|
|
|
return ErrEmailInvalid{email}
|
|
|
|
}
|
|
|
|
|
|
|
|
// if there is an allow list, then check email against allow list
|
|
|
|
if len(setting.Service.EmailDomainAllowList) > 0 &&
|
|
|
|
!validation.IsEmailDomainListed(setting.Service.EmailDomainAllowList, email) {
|
|
|
|
return ErrEmailInvalid{email}
|
|
|
|
}
|
2021-11-11 10:03:30 +03:00
|
|
|
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
|
|
|
// GetEmailAddresses returns all email addresses belongs to given user.
|
2023-09-14 20:09:32 +03:00
|
|
|
func GetEmailAddresses(ctx context.Context, uid int64) ([]*EmailAddress, error) {
|
2021-11-11 10:03:30 +03:00
|
|
|
emails := make([]*EmailAddress, 0, 5)
|
2023-09-14 20:09:32 +03:00
|
|
|
if err := db.GetEngine(ctx).
|
2021-11-11 10:03:30 +03:00
|
|
|
Where("uid=?", uid).
|
|
|
|
Asc("id").
|
|
|
|
Find(&emails); err != nil {
|
2023-11-17 02:17:40 +03:00
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
return emails, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
type ActivatedEmailAddress struct {
|
|
|
|
ID int64
|
|
|
|
Email string
|
|
|
|
}
|
|
|
|
|
|
|
|
func GetActivatedEmailAddresses(ctx context.Context, uid int64) ([]*ActivatedEmailAddress, error) {
|
|
|
|
emails := make([]*ActivatedEmailAddress, 0, 8)
|
|
|
|
if err := db.GetEngine(ctx).
|
|
|
|
Table("email_address").
|
|
|
|
Select("id, email").
|
|
|
|
Where("uid=?", uid).
|
|
|
|
And("is_activated=?", true).
|
|
|
|
Asc("id").
|
|
|
|
Find(&emails); err != nil {
|
2021-11-11 10:03:30 +03:00
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
return emails, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
// GetEmailAddressByID gets a user's email address by ID
|
2023-09-14 20:09:32 +03:00
|
|
|
func GetEmailAddressByID(ctx context.Context, uid, id int64) (*EmailAddress, error) {
|
2021-11-11 10:03:30 +03:00
|
|
|
// User ID is required for security reasons
|
|
|
|
email := &EmailAddress{UID: uid}
|
2023-09-14 20:09:32 +03:00
|
|
|
if has, err := db.GetEngine(ctx).ID(id).Get(email); err != nil {
|
2021-11-11 10:03:30 +03:00
|
|
|
return nil, err
|
|
|
|
} else if !has {
|
|
|
|
return nil, nil
|
|
|
|
}
|
|
|
|
return email, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
// IsEmailActive check if email is activated with a different emailID
|
|
|
|
func IsEmailActive(ctx context.Context, email string, excludeEmailID int64) (bool, error) {
|
|
|
|
if len(email) == 0 {
|
|
|
|
return true, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
// Can't filter by boolean field unless it's explicit
|
|
|
|
cond := builder.NewCond()
|
|
|
|
cond = cond.And(builder.Eq{"lower_email": strings.ToLower(email)}, builder.Neq{"id": excludeEmailID})
|
|
|
|
if setting.Service.RegisterEmailConfirm {
|
|
|
|
// Inactive (unvalidated) addresses don't count as active if email validation is required
|
|
|
|
cond = cond.And(builder.Eq{"is_activated": true})
|
|
|
|
}
|
|
|
|
|
|
|
|
var em EmailAddress
|
|
|
|
if has, err := db.GetEngine(ctx).Where(cond).Get(&em); has || err != nil {
|
|
|
|
if has {
|
|
|
|
log.Info("isEmailActive(%q, %d) found duplicate in email ID %d", email, excludeEmailID, em.ID)
|
|
|
|
}
|
|
|
|
return has, err
|
|
|
|
}
|
|
|
|
|
|
|
|
return false, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
// IsEmailUsed returns true if the email has been used.
|
|
|
|
func IsEmailUsed(ctx context.Context, email string) (bool, error) {
|
|
|
|
if len(email) == 0 {
|
|
|
|
return true, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
return db.GetEngine(ctx).Where("lower_email=?", strings.ToLower(email)).Get(&EmailAddress{})
|
|
|
|
}
|
|
|
|
|
2022-05-20 17:08:52 +03:00
|
|
|
// AddEmailAddress adds an email address to given user.
|
|
|
|
func AddEmailAddress(ctx context.Context, email *EmailAddress) error {
|
2021-11-11 10:03:30 +03:00
|
|
|
email.Email = strings.TrimSpace(email.Email)
|
|
|
|
used, err := IsEmailUsed(ctx, email.Email)
|
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
} else if used {
|
|
|
|
return ErrEmailAlreadyUsed{email.Email}
|
|
|
|
}
|
|
|
|
|
|
|
|
if err = ValidateEmail(email.Email); err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
|
|
|
return db.Insert(ctx, email)
|
|
|
|
}
|
|
|
|
|
|
|
|
// AddEmailAddresses adds an email address to given user.
|
2023-09-14 20:09:32 +03:00
|
|
|
func AddEmailAddresses(ctx context.Context, emails []*EmailAddress) error {
|
2021-11-11 10:03:30 +03:00
|
|
|
if len(emails) == 0 {
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
|
|
|
// Check if any of them has been used
|
|
|
|
for i := range emails {
|
|
|
|
emails[i].Email = strings.TrimSpace(emails[i].Email)
|
2023-09-14 20:09:32 +03:00
|
|
|
used, err := IsEmailUsed(ctx, emails[i].Email)
|
2021-11-11 10:03:30 +03:00
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
} else if used {
|
|
|
|
return ErrEmailAlreadyUsed{emails[i].Email}
|
|
|
|
}
|
|
|
|
if err = ValidateEmail(emails[i].Email); err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2023-09-14 20:09:32 +03:00
|
|
|
if err := db.Insert(ctx, emails); err != nil {
|
2022-10-24 22:29:17 +03:00
|
|
|
return fmt.Errorf("Insert: %w", err)
|
2021-11-11 10:03:30 +03:00
|
|
|
}
|
|
|
|
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
|
|
|
// DeleteEmailAddress deletes an email address of given user.
|
2023-09-14 20:09:32 +03:00
|
|
|
func DeleteEmailAddress(ctx context.Context, email *EmailAddress) (err error) {
|
2021-11-11 10:03:30 +03:00
|
|
|
if email.IsPrimary {
|
|
|
|
return ErrPrimaryEmailCannotDelete{Email: email.Email}
|
|
|
|
}
|
|
|
|
|
|
|
|
var deleted int64
|
|
|
|
// ask to check UID
|
|
|
|
address := EmailAddress{
|
|
|
|
UID: email.UID,
|
|
|
|
}
|
|
|
|
if email.ID > 0 {
|
2023-09-14 20:09:32 +03:00
|
|
|
deleted, err = db.GetEngine(ctx).ID(email.ID).Delete(&address)
|
2021-11-11 10:03:30 +03:00
|
|
|
} else {
|
|
|
|
if email.Email != "" && email.LowerEmail == "" {
|
|
|
|
email.LowerEmail = strings.ToLower(email.Email)
|
|
|
|
}
|
2023-09-14 20:09:32 +03:00
|
|
|
deleted, err = db.GetEngine(ctx).
|
2021-11-11 10:03:30 +03:00
|
|
|
Where("lower_email=?", email.LowerEmail).
|
|
|
|
Delete(&address)
|
|
|
|
}
|
|
|
|
|
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
} else if deleted != 1 {
|
|
|
|
return ErrEmailAddressNotExist{Email: email.Email}
|
|
|
|
}
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
|
|
|
// DeleteEmailAddresses deletes multiple email addresses
|
2023-09-14 20:09:32 +03:00
|
|
|
func DeleteEmailAddresses(ctx context.Context, emails []*EmailAddress) (err error) {
|
2021-11-11 10:03:30 +03:00
|
|
|
for i := range emails {
|
2023-09-14 20:09:32 +03:00
|
|
|
if err = DeleteEmailAddress(ctx, emails[i]); err != nil {
|
2021-11-11 10:03:30 +03:00
|
|
|
return err
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
return nil
|
|
|
|
}
|
2021-11-18 20:42:27 +03:00
|
|
|
|
|
|
|
// DeleteInactiveEmailAddresses deletes inactive email addresses
|
|
|
|
func DeleteInactiveEmailAddresses(ctx context.Context) error {
|
|
|
|
_, err := db.GetEngine(ctx).
|
|
|
|
Where("is_activated = ?", false).
|
|
|
|
Delete(new(EmailAddress))
|
|
|
|
return err
|
|
|
|
}
|
2021-11-28 17:11:58 +03:00
|
|
|
|
|
|
|
// ActivateEmail activates the email address to given user.
|
2023-09-14 20:09:32 +03:00
|
|
|
func ActivateEmail(ctx context.Context, email *EmailAddress) error {
|
|
|
|
ctx, committer, err := db.TxContext(ctx)
|
2021-11-28 17:11:58 +03:00
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
defer committer.Close()
|
2022-05-20 17:08:52 +03:00
|
|
|
if err := updateActivation(ctx, email, true); err != nil {
|
2021-11-28 17:11:58 +03:00
|
|
|
return err
|
|
|
|
}
|
|
|
|
return committer.Commit()
|
|
|
|
}
|
|
|
|
|
2022-05-20 17:08:52 +03:00
|
|
|
func updateActivation(ctx context.Context, email *EmailAddress, activate bool) error {
|
2022-12-03 05:48:26 +03:00
|
|
|
user, err := GetUserByID(ctx, email.UID)
|
2021-11-28 17:11:58 +03:00
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
if user.Rands, err = GetUserSalt(); err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
email.IsActivated = activate
|
2022-05-20 17:08:52 +03:00
|
|
|
if _, err := db.GetEngine(ctx).ID(email.ID).Cols("is_activated").Update(email); err != nil {
|
2021-11-28 17:11:58 +03:00
|
|
|
return err
|
|
|
|
}
|
2022-05-20 17:08:52 +03:00
|
|
|
return UpdateUserCols(ctx, user, "rands")
|
2021-11-28 17:11:58 +03:00
|
|
|
}
|
|
|
|
|
[GITEA] Allow changing the email address before activation
During registration, one may be required to give their email address, to
be verified and activated later. However, if one makes a mistake, a
typo, they may end up with an account that cannot be activated due to
having a wrong email address.
They can still log in, but not change the email address, thus, no way to
activate it without help from an administrator.
To remedy this issue, lets allow changing the email address for logged
in, but not activated users.
This fixes gitea#17785.
Signed-off-by: Gergely Nagy <forgejo@gergo.csillger.hu>
(cherry picked from commit aaaece28e4c6a8980cef932e224e84933d7c9262)
(cherry picked from commit 639dafabec0a5c1f943b44ca02f72c5ba2fc5e10)
(cherry picked from commit d699c12cebea7dbbda950ae257a46d53c39f22ea)
[GITEA] Allow changing the email address before activation (squash) cache is always active
This needs to be revisited because the MailResendLimit is not enforced
and turns out to not be tested.
See e7cb8da2a8 * Always enable caches (#28527)
(cherry picked from commit 43ded8ee30ab5c7a40a456600cdaa8a0fbdccec2)
Rate limit pre-activation email change separately
Changing the email address before any email address is activated should
be subject to a different rate limit than the normal activation email
resending. If there's only one rate limit for both, then if a newly
signed up quickly discovers they gave a wrong email address, they'd have
to wait three minutes to change it.
With the two separate limits, they don't - but they'll have to wait
three minutes before they can change the email address again.
The downside of this setup is that a malicious actor can alternate
between resending and changing the email address (to something like
`user+$idx@domain`, delivered to the same inbox) to effectively halving
the rate limit. I do not think there's a better solution, and this feels
like such a small attack surface that I'd deem it acceptable.
The way the code works after this change is that `ActivatePost` will now
check the `MailChangeLimit_user` key rather than `MailResendLimit_user`,
and if we're within the limit, it will set `MailChangedJustNow_user`. The
`Activate` method - which sends the activation email, whether it is a
normal resend, or one following an email change - will check
`MailChangedJustNow_user`, and if it is set, it will check the rate
limit against `MailChangedLimit_user`, otherwise against
`MailResendLimit_user`, and then will delete the
`MailChangedJustNow_user` key from the cache.
Fixes #2040.
Signed-off-by: Gergely Nagy <forgejo@gergo.csillger.hu>
(cherry picked from commit e35d2af2e56f4ecb3a4f6d1109d02c8aa1a6d182)
(cherry picked from commit 03989418a70d3445e0edada7fbe5a4151d7836b1)
(cherry picked from commit f50e0dfe5e90d6a31c5b59e687580e8b2725c22b)
(cherry picked from commit cad9184a3653e6c80de2e006a0d699b816980987)
2023-12-07 14:57:16 +03:00
|
|
|
func makeEmailPrimary(ctx context.Context, user *User, email *EmailAddress) error {
|
|
|
|
ctx, committer, err := db.TxContext(ctx)
|
2021-11-28 17:11:58 +03:00
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
[GITEA] Allow changing the email address before activation
During registration, one may be required to give their email address, to
be verified and activated later. However, if one makes a mistake, a
typo, they may end up with an account that cannot be activated due to
having a wrong email address.
They can still log in, but not change the email address, thus, no way to
activate it without help from an administrator.
To remedy this issue, lets allow changing the email address for logged
in, but not activated users.
This fixes gitea#17785.
Signed-off-by: Gergely Nagy <forgejo@gergo.csillger.hu>
(cherry picked from commit aaaece28e4c6a8980cef932e224e84933d7c9262)
(cherry picked from commit 639dafabec0a5c1f943b44ca02f72c5ba2fc5e10)
(cherry picked from commit d699c12cebea7dbbda950ae257a46d53c39f22ea)
[GITEA] Allow changing the email address before activation (squash) cache is always active
This needs to be revisited because the MailResendLimit is not enforced
and turns out to not be tested.
See e7cb8da2a8 * Always enable caches (#28527)
(cherry picked from commit 43ded8ee30ab5c7a40a456600cdaa8a0fbdccec2)
Rate limit pre-activation email change separately
Changing the email address before any email address is activated should
be subject to a different rate limit than the normal activation email
resending. If there's only one rate limit for both, then if a newly
signed up quickly discovers they gave a wrong email address, they'd have
to wait three minutes to change it.
With the two separate limits, they don't - but they'll have to wait
three minutes before they can change the email address again.
The downside of this setup is that a malicious actor can alternate
between resending and changing the email address (to something like
`user+$idx@domain`, delivered to the same inbox) to effectively halving
the rate limit. I do not think there's a better solution, and this feels
like such a small attack surface that I'd deem it acceptable.
The way the code works after this change is that `ActivatePost` will now
check the `MailChangeLimit_user` key rather than `MailResendLimit_user`,
and if we're within the limit, it will set `MailChangedJustNow_user`. The
`Activate` method - which sends the activation email, whether it is a
normal resend, or one following an email change - will check
`MailChangedJustNow_user`, and if it is set, it will check the rate
limit against `MailChangedLimit_user`, otherwise against
`MailResendLimit_user`, and then will delete the
`MailChangedJustNow_user` key from the cache.
Fixes #2040.
Signed-off-by: Gergely Nagy <forgejo@gergo.csillger.hu>
(cherry picked from commit e35d2af2e56f4ecb3a4f6d1109d02c8aa1a6d182)
(cherry picked from commit 03989418a70d3445e0edada7fbe5a4151d7836b1)
(cherry picked from commit f50e0dfe5e90d6a31c5b59e687580e8b2725c22b)
(cherry picked from commit cad9184a3653e6c80de2e006a0d699b816980987)
2023-12-07 14:57:16 +03:00
|
|
|
defer committer.Close()
|
|
|
|
sess := db.GetEngine(ctx)
|
2021-11-28 17:11:58 +03:00
|
|
|
|
[GITEA] Allow changing the email address before activation
During registration, one may be required to give their email address, to
be verified and activated later. However, if one makes a mistake, a
typo, they may end up with an account that cannot be activated due to
having a wrong email address.
They can still log in, but not change the email address, thus, no way to
activate it without help from an administrator.
To remedy this issue, lets allow changing the email address for logged
in, but not activated users.
This fixes gitea#17785.
Signed-off-by: Gergely Nagy <forgejo@gergo.csillger.hu>
(cherry picked from commit aaaece28e4c6a8980cef932e224e84933d7c9262)
(cherry picked from commit 639dafabec0a5c1f943b44ca02f72c5ba2fc5e10)
(cherry picked from commit d699c12cebea7dbbda950ae257a46d53c39f22ea)
[GITEA] Allow changing the email address before activation (squash) cache is always active
This needs to be revisited because the MailResendLimit is not enforced
and turns out to not be tested.
See e7cb8da2a8 * Always enable caches (#28527)
(cherry picked from commit 43ded8ee30ab5c7a40a456600cdaa8a0fbdccec2)
Rate limit pre-activation email change separately
Changing the email address before any email address is activated should
be subject to a different rate limit than the normal activation email
resending. If there's only one rate limit for both, then if a newly
signed up quickly discovers they gave a wrong email address, they'd have
to wait three minutes to change it.
With the two separate limits, they don't - but they'll have to wait
three minutes before they can change the email address again.
The downside of this setup is that a malicious actor can alternate
between resending and changing the email address (to something like
`user+$idx@domain`, delivered to the same inbox) to effectively halving
the rate limit. I do not think there's a better solution, and this feels
like such a small attack surface that I'd deem it acceptable.
The way the code works after this change is that `ActivatePost` will now
check the `MailChangeLimit_user` key rather than `MailResendLimit_user`,
and if we're within the limit, it will set `MailChangedJustNow_user`. The
`Activate` method - which sends the activation email, whether it is a
normal resend, or one following an email change - will check
`MailChangedJustNow_user`, and if it is set, it will check the rate
limit against `MailChangedLimit_user`, otherwise against
`MailResendLimit_user`, and then will delete the
`MailChangedJustNow_user` key from the cache.
Fixes #2040.
Signed-off-by: Gergely Nagy <forgejo@gergo.csillger.hu>
(cherry picked from commit e35d2af2e56f4ecb3a4f6d1109d02c8aa1a6d182)
(cherry picked from commit 03989418a70d3445e0edada7fbe5a4151d7836b1)
(cherry picked from commit f50e0dfe5e90d6a31c5b59e687580e8b2725c22b)
(cherry picked from commit cad9184a3653e6c80de2e006a0d699b816980987)
2023-12-07 14:57:16 +03:00
|
|
|
// 1. Update user table
|
|
|
|
user.Email = email.Email
|
|
|
|
if _, err = sess.ID(user.ID).Cols("email").Update(user); err != nil {
|
|
|
|
return err
|
2021-11-28 17:11:58 +03:00
|
|
|
}
|
|
|
|
|
[GITEA] Allow changing the email address before activation
During registration, one may be required to give their email address, to
be verified and activated later. However, if one makes a mistake, a
typo, they may end up with an account that cannot be activated due to
having a wrong email address.
They can still log in, but not change the email address, thus, no way to
activate it without help from an administrator.
To remedy this issue, lets allow changing the email address for logged
in, but not activated users.
This fixes gitea#17785.
Signed-off-by: Gergely Nagy <forgejo@gergo.csillger.hu>
(cherry picked from commit aaaece28e4c6a8980cef932e224e84933d7c9262)
(cherry picked from commit 639dafabec0a5c1f943b44ca02f72c5ba2fc5e10)
(cherry picked from commit d699c12cebea7dbbda950ae257a46d53c39f22ea)
[GITEA] Allow changing the email address before activation (squash) cache is always active
This needs to be revisited because the MailResendLimit is not enforced
and turns out to not be tested.
See e7cb8da2a8 * Always enable caches (#28527)
(cherry picked from commit 43ded8ee30ab5c7a40a456600cdaa8a0fbdccec2)
Rate limit pre-activation email change separately
Changing the email address before any email address is activated should
be subject to a different rate limit than the normal activation email
resending. If there's only one rate limit for both, then if a newly
signed up quickly discovers they gave a wrong email address, they'd have
to wait three minutes to change it.
With the two separate limits, they don't - but they'll have to wait
three minutes before they can change the email address again.
The downside of this setup is that a malicious actor can alternate
between resending and changing the email address (to something like
`user+$idx@domain`, delivered to the same inbox) to effectively halving
the rate limit. I do not think there's a better solution, and this feels
like such a small attack surface that I'd deem it acceptable.
The way the code works after this change is that `ActivatePost` will now
check the `MailChangeLimit_user` key rather than `MailResendLimit_user`,
and if we're within the limit, it will set `MailChangedJustNow_user`. The
`Activate` method - which sends the activation email, whether it is a
normal resend, or one following an email change - will check
`MailChangedJustNow_user`, and if it is set, it will check the rate
limit against `MailChangedLimit_user`, otherwise against
`MailResendLimit_user`, and then will delete the
`MailChangedJustNow_user` key from the cache.
Fixes #2040.
Signed-off-by: Gergely Nagy <forgejo@gergo.csillger.hu>
(cherry picked from commit e35d2af2e56f4ecb3a4f6d1109d02c8aa1a6d182)
(cherry picked from commit 03989418a70d3445e0edada7fbe5a4151d7836b1)
(cherry picked from commit f50e0dfe5e90d6a31c5b59e687580e8b2725c22b)
(cherry picked from commit cad9184a3653e6c80de2e006a0d699b816980987)
2023-12-07 14:57:16 +03:00
|
|
|
// 2. Update old primary email
|
|
|
|
if _, err = sess.Where("uid=? AND is_primary=?", email.UID, true).Cols("is_primary").Update(&EmailAddress{
|
|
|
|
IsPrimary: false,
|
|
|
|
}); err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
|
|
|
// 3. update new primary email
|
|
|
|
email.IsPrimary = true
|
|
|
|
if _, err = sess.ID(email.ID).Cols("is_primary").Update(email); err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
|
|
|
return committer.Commit()
|
|
|
|
}
|
|
|
|
|
|
|
|
// ReplaceInactivePrimaryEmail replaces the primary email of a given user, even if the primary is not yet activated.
|
|
|
|
func ReplaceInactivePrimaryEmail(ctx context.Context, oldEmail string, email *EmailAddress) error {
|
2021-11-28 17:11:58 +03:00
|
|
|
user := &User{}
|
[GITEA] Allow changing the email address before activation
During registration, one may be required to give their email address, to
be verified and activated later. However, if one makes a mistake, a
typo, they may end up with an account that cannot be activated due to
having a wrong email address.
They can still log in, but not change the email address, thus, no way to
activate it without help from an administrator.
To remedy this issue, lets allow changing the email address for logged
in, but not activated users.
This fixes gitea#17785.
Signed-off-by: Gergely Nagy <forgejo@gergo.csillger.hu>
(cherry picked from commit aaaece28e4c6a8980cef932e224e84933d7c9262)
(cherry picked from commit 639dafabec0a5c1f943b44ca02f72c5ba2fc5e10)
(cherry picked from commit d699c12cebea7dbbda950ae257a46d53c39f22ea)
[GITEA] Allow changing the email address before activation (squash) cache is always active
This needs to be revisited because the MailResendLimit is not enforced
and turns out to not be tested.
See e7cb8da2a8 * Always enable caches (#28527)
(cherry picked from commit 43ded8ee30ab5c7a40a456600cdaa8a0fbdccec2)
Rate limit pre-activation email change separately
Changing the email address before any email address is activated should
be subject to a different rate limit than the normal activation email
resending. If there's only one rate limit for both, then if a newly
signed up quickly discovers they gave a wrong email address, they'd have
to wait three minutes to change it.
With the two separate limits, they don't - but they'll have to wait
three minutes before they can change the email address again.
The downside of this setup is that a malicious actor can alternate
between resending and changing the email address (to something like
`user+$idx@domain`, delivered to the same inbox) to effectively halving
the rate limit. I do not think there's a better solution, and this feels
like such a small attack surface that I'd deem it acceptable.
The way the code works after this change is that `ActivatePost` will now
check the `MailChangeLimit_user` key rather than `MailResendLimit_user`,
and if we're within the limit, it will set `MailChangedJustNow_user`. The
`Activate` method - which sends the activation email, whether it is a
normal resend, or one following an email change - will check
`MailChangedJustNow_user`, and if it is set, it will check the rate
limit against `MailChangedLimit_user`, otherwise against
`MailResendLimit_user`, and then will delete the
`MailChangedJustNow_user` key from the cache.
Fixes #2040.
Signed-off-by: Gergely Nagy <forgejo@gergo.csillger.hu>
(cherry picked from commit e35d2af2e56f4ecb3a4f6d1109d02c8aa1a6d182)
(cherry picked from commit 03989418a70d3445e0edada7fbe5a4151d7836b1)
(cherry picked from commit f50e0dfe5e90d6a31c5b59e687580e8b2725c22b)
(cherry picked from commit cad9184a3653e6c80de2e006a0d699b816980987)
2023-12-07 14:57:16 +03:00
|
|
|
has, err := db.GetEngine(ctx).ID(email.UID).Get(user)
|
2021-11-28 17:11:58 +03:00
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
} else if !has {
|
|
|
|
return ErrUserNotExist{
|
|
|
|
UID: email.UID,
|
|
|
|
Name: "",
|
|
|
|
KeyID: 0,
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
[GITEA] Allow changing the email address before activation
During registration, one may be required to give their email address, to
be verified and activated later. However, if one makes a mistake, a
typo, they may end up with an account that cannot be activated due to
having a wrong email address.
They can still log in, but not change the email address, thus, no way to
activate it without help from an administrator.
To remedy this issue, lets allow changing the email address for logged
in, but not activated users.
This fixes gitea#17785.
Signed-off-by: Gergely Nagy <forgejo@gergo.csillger.hu>
(cherry picked from commit aaaece28e4c6a8980cef932e224e84933d7c9262)
(cherry picked from commit 639dafabec0a5c1f943b44ca02f72c5ba2fc5e10)
(cherry picked from commit d699c12cebea7dbbda950ae257a46d53c39f22ea)
[GITEA] Allow changing the email address before activation (squash) cache is always active
This needs to be revisited because the MailResendLimit is not enforced
and turns out to not be tested.
See e7cb8da2a8 * Always enable caches (#28527)
(cherry picked from commit 43ded8ee30ab5c7a40a456600cdaa8a0fbdccec2)
Rate limit pre-activation email change separately
Changing the email address before any email address is activated should
be subject to a different rate limit than the normal activation email
resending. If there's only one rate limit for both, then if a newly
signed up quickly discovers they gave a wrong email address, they'd have
to wait three minutes to change it.
With the two separate limits, they don't - but they'll have to wait
three minutes before they can change the email address again.
The downside of this setup is that a malicious actor can alternate
between resending and changing the email address (to something like
`user+$idx@domain`, delivered to the same inbox) to effectively halving
the rate limit. I do not think there's a better solution, and this feels
like such a small attack surface that I'd deem it acceptable.
The way the code works after this change is that `ActivatePost` will now
check the `MailChangeLimit_user` key rather than `MailResendLimit_user`,
and if we're within the limit, it will set `MailChangedJustNow_user`. The
`Activate` method - which sends the activation email, whether it is a
normal resend, or one following an email change - will check
`MailChangedJustNow_user`, and if it is set, it will check the rate
limit against `MailChangedLimit_user`, otherwise against
`MailResendLimit_user`, and then will delete the
`MailChangedJustNow_user` key from the cache.
Fixes #2040.
Signed-off-by: Gergely Nagy <forgejo@gergo.csillger.hu>
(cherry picked from commit e35d2af2e56f4ecb3a4f6d1109d02c8aa1a6d182)
(cherry picked from commit 03989418a70d3445e0edada7fbe5a4151d7836b1)
(cherry picked from commit f50e0dfe5e90d6a31c5b59e687580e8b2725c22b)
(cherry picked from commit cad9184a3653e6c80de2e006a0d699b816980987)
2023-12-07 14:57:16 +03:00
|
|
|
err = AddEmailAddress(ctx, email)
|
2021-11-28 17:11:58 +03:00
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
[GITEA] Allow changing the email address before activation
During registration, one may be required to give their email address, to
be verified and activated later. However, if one makes a mistake, a
typo, they may end up with an account that cannot be activated due to
having a wrong email address.
They can still log in, but not change the email address, thus, no way to
activate it without help from an administrator.
To remedy this issue, lets allow changing the email address for logged
in, but not activated users.
This fixes gitea#17785.
Signed-off-by: Gergely Nagy <forgejo@gergo.csillger.hu>
(cherry picked from commit aaaece28e4c6a8980cef932e224e84933d7c9262)
(cherry picked from commit 639dafabec0a5c1f943b44ca02f72c5ba2fc5e10)
(cherry picked from commit d699c12cebea7dbbda950ae257a46d53c39f22ea)
[GITEA] Allow changing the email address before activation (squash) cache is always active
This needs to be revisited because the MailResendLimit is not enforced
and turns out to not be tested.
See e7cb8da2a8 * Always enable caches (#28527)
(cherry picked from commit 43ded8ee30ab5c7a40a456600cdaa8a0fbdccec2)
Rate limit pre-activation email change separately
Changing the email address before any email address is activated should
be subject to a different rate limit than the normal activation email
resending. If there's only one rate limit for both, then if a newly
signed up quickly discovers they gave a wrong email address, they'd have
to wait three minutes to change it.
With the two separate limits, they don't - but they'll have to wait
three minutes before they can change the email address again.
The downside of this setup is that a malicious actor can alternate
between resending and changing the email address (to something like
`user+$idx@domain`, delivered to the same inbox) to effectively halving
the rate limit. I do not think there's a better solution, and this feels
like such a small attack surface that I'd deem it acceptable.
The way the code works after this change is that `ActivatePost` will now
check the `MailChangeLimit_user` key rather than `MailResendLimit_user`,
and if we're within the limit, it will set `MailChangedJustNow_user`. The
`Activate` method - which sends the activation email, whether it is a
normal resend, or one following an email change - will check
`MailChangedJustNow_user`, and if it is set, it will check the rate
limit against `MailChangedLimit_user`, otherwise against
`MailResendLimit_user`, and then will delete the
`MailChangedJustNow_user` key from the cache.
Fixes #2040.
Signed-off-by: Gergely Nagy <forgejo@gergo.csillger.hu>
(cherry picked from commit e35d2af2e56f4ecb3a4f6d1109d02c8aa1a6d182)
(cherry picked from commit 03989418a70d3445e0edada7fbe5a4151d7836b1)
(cherry picked from commit f50e0dfe5e90d6a31c5b59e687580e8b2725c22b)
(cherry picked from commit cad9184a3653e6c80de2e006a0d699b816980987)
2023-12-07 14:57:16 +03:00
|
|
|
err = makeEmailPrimary(ctx, user, email)
|
|
|
|
if err != nil {
|
2021-11-28 17:11:58 +03:00
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
[GITEA] Allow changing the email address before activation
During registration, one may be required to give their email address, to
be verified and activated later. However, if one makes a mistake, a
typo, they may end up with an account that cannot be activated due to
having a wrong email address.
They can still log in, but not change the email address, thus, no way to
activate it without help from an administrator.
To remedy this issue, lets allow changing the email address for logged
in, but not activated users.
This fixes gitea#17785.
Signed-off-by: Gergely Nagy <forgejo@gergo.csillger.hu>
(cherry picked from commit aaaece28e4c6a8980cef932e224e84933d7c9262)
(cherry picked from commit 639dafabec0a5c1f943b44ca02f72c5ba2fc5e10)
(cherry picked from commit d699c12cebea7dbbda950ae257a46d53c39f22ea)
[GITEA] Allow changing the email address before activation (squash) cache is always active
This needs to be revisited because the MailResendLimit is not enforced
and turns out to not be tested.
See e7cb8da2a8 * Always enable caches (#28527)
(cherry picked from commit 43ded8ee30ab5c7a40a456600cdaa8a0fbdccec2)
Rate limit pre-activation email change separately
Changing the email address before any email address is activated should
be subject to a different rate limit than the normal activation email
resending. If there's only one rate limit for both, then if a newly
signed up quickly discovers they gave a wrong email address, they'd have
to wait three minutes to change it.
With the two separate limits, they don't - but they'll have to wait
three minutes before they can change the email address again.
The downside of this setup is that a malicious actor can alternate
between resending and changing the email address (to something like
`user+$idx@domain`, delivered to the same inbox) to effectively halving
the rate limit. I do not think there's a better solution, and this feels
like such a small attack surface that I'd deem it acceptable.
The way the code works after this change is that `ActivatePost` will now
check the `MailChangeLimit_user` key rather than `MailResendLimit_user`,
and if we're within the limit, it will set `MailChangedJustNow_user`. The
`Activate` method - which sends the activation email, whether it is a
normal resend, or one following an email change - will check
`MailChangedJustNow_user`, and if it is set, it will check the rate
limit against `MailChangedLimit_user`, otherwise against
`MailResendLimit_user`, and then will delete the
`MailChangedJustNow_user` key from the cache.
Fixes #2040.
Signed-off-by: Gergely Nagy <forgejo@gergo.csillger.hu>
(cherry picked from commit e35d2af2e56f4ecb3a4f6d1109d02c8aa1a6d182)
(cherry picked from commit 03989418a70d3445e0edada7fbe5a4151d7836b1)
(cherry picked from commit f50e0dfe5e90d6a31c5b59e687580e8b2725c22b)
(cherry picked from commit cad9184a3653e6c80de2e006a0d699b816980987)
2023-12-07 14:57:16 +03:00
|
|
|
return DeleteEmailAddress(ctx, &EmailAddress{UID: email.UID, Email: oldEmail})
|
|
|
|
}
|
|
|
|
|
|
|
|
// MakeEmailPrimary sets primary email address of given user.
|
|
|
|
func MakeEmailPrimary(ctx context.Context, email *EmailAddress) error {
|
|
|
|
has, err := db.GetEngine(ctx).Get(email)
|
|
|
|
if err != nil {
|
2021-11-28 17:11:58 +03:00
|
|
|
return err
|
[GITEA] Allow changing the email address before activation
During registration, one may be required to give their email address, to
be verified and activated later. However, if one makes a mistake, a
typo, they may end up with an account that cannot be activated due to
having a wrong email address.
They can still log in, but not change the email address, thus, no way to
activate it without help from an administrator.
To remedy this issue, lets allow changing the email address for logged
in, but not activated users.
This fixes gitea#17785.
Signed-off-by: Gergely Nagy <forgejo@gergo.csillger.hu>
(cherry picked from commit aaaece28e4c6a8980cef932e224e84933d7c9262)
(cherry picked from commit 639dafabec0a5c1f943b44ca02f72c5ba2fc5e10)
(cherry picked from commit d699c12cebea7dbbda950ae257a46d53c39f22ea)
[GITEA] Allow changing the email address before activation (squash) cache is always active
This needs to be revisited because the MailResendLimit is not enforced
and turns out to not be tested.
See e7cb8da2a8 * Always enable caches (#28527)
(cherry picked from commit 43ded8ee30ab5c7a40a456600cdaa8a0fbdccec2)
Rate limit pre-activation email change separately
Changing the email address before any email address is activated should
be subject to a different rate limit than the normal activation email
resending. If there's only one rate limit for both, then if a newly
signed up quickly discovers they gave a wrong email address, they'd have
to wait three minutes to change it.
With the two separate limits, they don't - but they'll have to wait
three minutes before they can change the email address again.
The downside of this setup is that a malicious actor can alternate
between resending and changing the email address (to something like
`user+$idx@domain`, delivered to the same inbox) to effectively halving
the rate limit. I do not think there's a better solution, and this feels
like such a small attack surface that I'd deem it acceptable.
The way the code works after this change is that `ActivatePost` will now
check the `MailChangeLimit_user` key rather than `MailResendLimit_user`,
and if we're within the limit, it will set `MailChangedJustNow_user`. The
`Activate` method - which sends the activation email, whether it is a
normal resend, or one following an email change - will check
`MailChangedJustNow_user`, and if it is set, it will check the rate
limit against `MailChangedLimit_user`, otherwise against
`MailResendLimit_user`, and then will delete the
`MailChangedJustNow_user` key from the cache.
Fixes #2040.
Signed-off-by: Gergely Nagy <forgejo@gergo.csillger.hu>
(cherry picked from commit e35d2af2e56f4ecb3a4f6d1109d02c8aa1a6d182)
(cherry picked from commit 03989418a70d3445e0edada7fbe5a4151d7836b1)
(cherry picked from commit f50e0dfe5e90d6a31c5b59e687580e8b2725c22b)
(cherry picked from commit cad9184a3653e6c80de2e006a0d699b816980987)
2023-12-07 14:57:16 +03:00
|
|
|
} else if !has {
|
|
|
|
return ErrEmailAddressNotExist{Email: email.Email}
|
2021-11-28 17:11:58 +03:00
|
|
|
}
|
|
|
|
|
[GITEA] Allow changing the email address before activation
During registration, one may be required to give their email address, to
be verified and activated later. However, if one makes a mistake, a
typo, they may end up with an account that cannot be activated due to
having a wrong email address.
They can still log in, but not change the email address, thus, no way to
activate it without help from an administrator.
To remedy this issue, lets allow changing the email address for logged
in, but not activated users.
This fixes gitea#17785.
Signed-off-by: Gergely Nagy <forgejo@gergo.csillger.hu>
(cherry picked from commit aaaece28e4c6a8980cef932e224e84933d7c9262)
(cherry picked from commit 639dafabec0a5c1f943b44ca02f72c5ba2fc5e10)
(cherry picked from commit d699c12cebea7dbbda950ae257a46d53c39f22ea)
[GITEA] Allow changing the email address before activation (squash) cache is always active
This needs to be revisited because the MailResendLimit is not enforced
and turns out to not be tested.
See e7cb8da2a8 * Always enable caches (#28527)
(cherry picked from commit 43ded8ee30ab5c7a40a456600cdaa8a0fbdccec2)
Rate limit pre-activation email change separately
Changing the email address before any email address is activated should
be subject to a different rate limit than the normal activation email
resending. If there's only one rate limit for both, then if a newly
signed up quickly discovers they gave a wrong email address, they'd have
to wait three minutes to change it.
With the two separate limits, they don't - but they'll have to wait
three minutes before they can change the email address again.
The downside of this setup is that a malicious actor can alternate
between resending and changing the email address (to something like
`user+$idx@domain`, delivered to the same inbox) to effectively halving
the rate limit. I do not think there's a better solution, and this feels
like such a small attack surface that I'd deem it acceptable.
The way the code works after this change is that `ActivatePost` will now
check the `MailChangeLimit_user` key rather than `MailResendLimit_user`,
and if we're within the limit, it will set `MailChangedJustNow_user`. The
`Activate` method - which sends the activation email, whether it is a
normal resend, or one following an email change - will check
`MailChangedJustNow_user`, and if it is set, it will check the rate
limit against `MailChangedLimit_user`, otherwise against
`MailResendLimit_user`, and then will delete the
`MailChangedJustNow_user` key from the cache.
Fixes #2040.
Signed-off-by: Gergely Nagy <forgejo@gergo.csillger.hu>
(cherry picked from commit e35d2af2e56f4ecb3a4f6d1109d02c8aa1a6d182)
(cherry picked from commit 03989418a70d3445e0edada7fbe5a4151d7836b1)
(cherry picked from commit f50e0dfe5e90d6a31c5b59e687580e8b2725c22b)
(cherry picked from commit cad9184a3653e6c80de2e006a0d699b816980987)
2023-12-07 14:57:16 +03:00
|
|
|
if !email.IsActivated {
|
|
|
|
return ErrEmailNotActivated
|
|
|
|
}
|
|
|
|
|
|
|
|
user := &User{}
|
|
|
|
has, err = db.GetEngine(ctx).ID(email.UID).Get(user)
|
|
|
|
if err != nil {
|
2021-11-28 17:11:58 +03:00
|
|
|
return err
|
[GITEA] Allow changing the email address before activation
During registration, one may be required to give their email address, to
be verified and activated later. However, if one makes a mistake, a
typo, they may end up with an account that cannot be activated due to
having a wrong email address.
They can still log in, but not change the email address, thus, no way to
activate it without help from an administrator.
To remedy this issue, lets allow changing the email address for logged
in, but not activated users.
This fixes gitea#17785.
Signed-off-by: Gergely Nagy <forgejo@gergo.csillger.hu>
(cherry picked from commit aaaece28e4c6a8980cef932e224e84933d7c9262)
(cherry picked from commit 639dafabec0a5c1f943b44ca02f72c5ba2fc5e10)
(cherry picked from commit d699c12cebea7dbbda950ae257a46d53c39f22ea)
[GITEA] Allow changing the email address before activation (squash) cache is always active
This needs to be revisited because the MailResendLimit is not enforced
and turns out to not be tested.
See e7cb8da2a8 * Always enable caches (#28527)
(cherry picked from commit 43ded8ee30ab5c7a40a456600cdaa8a0fbdccec2)
Rate limit pre-activation email change separately
Changing the email address before any email address is activated should
be subject to a different rate limit than the normal activation email
resending. If there's only one rate limit for both, then if a newly
signed up quickly discovers they gave a wrong email address, they'd have
to wait three minutes to change it.
With the two separate limits, they don't - but they'll have to wait
three minutes before they can change the email address again.
The downside of this setup is that a malicious actor can alternate
between resending and changing the email address (to something like
`user+$idx@domain`, delivered to the same inbox) to effectively halving
the rate limit. I do not think there's a better solution, and this feels
like such a small attack surface that I'd deem it acceptable.
The way the code works after this change is that `ActivatePost` will now
check the `MailChangeLimit_user` key rather than `MailResendLimit_user`,
and if we're within the limit, it will set `MailChangedJustNow_user`. The
`Activate` method - which sends the activation email, whether it is a
normal resend, or one following an email change - will check
`MailChangedJustNow_user`, and if it is set, it will check the rate
limit against `MailChangedLimit_user`, otherwise against
`MailResendLimit_user`, and then will delete the
`MailChangedJustNow_user` key from the cache.
Fixes #2040.
Signed-off-by: Gergely Nagy <forgejo@gergo.csillger.hu>
(cherry picked from commit e35d2af2e56f4ecb3a4f6d1109d02c8aa1a6d182)
(cherry picked from commit 03989418a70d3445e0edada7fbe5a4151d7836b1)
(cherry picked from commit f50e0dfe5e90d6a31c5b59e687580e8b2725c22b)
(cherry picked from commit cad9184a3653e6c80de2e006a0d699b816980987)
2023-12-07 14:57:16 +03:00
|
|
|
} else if !has {
|
|
|
|
return ErrUserNotExist{UID: email.UID}
|
2021-11-28 17:11:58 +03:00
|
|
|
}
|
|
|
|
|
[GITEA] Allow changing the email address before activation
During registration, one may be required to give their email address, to
be verified and activated later. However, if one makes a mistake, a
typo, they may end up with an account that cannot be activated due to
having a wrong email address.
They can still log in, but not change the email address, thus, no way to
activate it without help from an administrator.
To remedy this issue, lets allow changing the email address for logged
in, but not activated users.
This fixes gitea#17785.
Signed-off-by: Gergely Nagy <forgejo@gergo.csillger.hu>
(cherry picked from commit aaaece28e4c6a8980cef932e224e84933d7c9262)
(cherry picked from commit 639dafabec0a5c1f943b44ca02f72c5ba2fc5e10)
(cherry picked from commit d699c12cebea7dbbda950ae257a46d53c39f22ea)
[GITEA] Allow changing the email address before activation (squash) cache is always active
This needs to be revisited because the MailResendLimit is not enforced
and turns out to not be tested.
See e7cb8da2a8 * Always enable caches (#28527)
(cherry picked from commit 43ded8ee30ab5c7a40a456600cdaa8a0fbdccec2)
Rate limit pre-activation email change separately
Changing the email address before any email address is activated should
be subject to a different rate limit than the normal activation email
resending. If there's only one rate limit for both, then if a newly
signed up quickly discovers they gave a wrong email address, they'd have
to wait three minutes to change it.
With the two separate limits, they don't - but they'll have to wait
three minutes before they can change the email address again.
The downside of this setup is that a malicious actor can alternate
between resending and changing the email address (to something like
`user+$idx@domain`, delivered to the same inbox) to effectively halving
the rate limit. I do not think there's a better solution, and this feels
like such a small attack surface that I'd deem it acceptable.
The way the code works after this change is that `ActivatePost` will now
check the `MailChangeLimit_user` key rather than `MailResendLimit_user`,
and if we're within the limit, it will set `MailChangedJustNow_user`. The
`Activate` method - which sends the activation email, whether it is a
normal resend, or one following an email change - will check
`MailChangedJustNow_user`, and if it is set, it will check the rate
limit against `MailChangedLimit_user`, otherwise against
`MailResendLimit_user`, and then will delete the
`MailChangedJustNow_user` key from the cache.
Fixes #2040.
Signed-off-by: Gergely Nagy <forgejo@gergo.csillger.hu>
(cherry picked from commit e35d2af2e56f4ecb3a4f6d1109d02c8aa1a6d182)
(cherry picked from commit 03989418a70d3445e0edada7fbe5a4151d7836b1)
(cherry picked from commit f50e0dfe5e90d6a31c5b59e687580e8b2725c22b)
(cherry picked from commit cad9184a3653e6c80de2e006a0d699b816980987)
2023-12-07 14:57:16 +03:00
|
|
|
return makeEmailPrimary(ctx, user, email)
|
2021-11-28 17:11:58 +03:00
|
|
|
}
|
|
|
|
|
|
|
|
// VerifyActiveEmailCode verifies active email code when active account
|
2023-09-14 20:09:32 +03:00
|
|
|
func VerifyActiveEmailCode(ctx context.Context, code, email string) *EmailAddress {
|
2021-11-28 17:11:58 +03:00
|
|
|
minutes := setting.Service.ActiveCodeLives
|
|
|
|
|
2023-09-14 20:09:32 +03:00
|
|
|
if user := GetVerifyUser(ctx, code); user != nil {
|
2021-11-28 17:11:58 +03:00
|
|
|
// time limit code
|
|
|
|
prefix := code[:base.TimeLimitCodeLength]
|
|
|
|
data := fmt.Sprintf("%d%s%s%s%s", user.ID, email, user.LowerName, user.Passwd, user.Rands)
|
|
|
|
|
|
|
|
if base.VerifyTimeLimitCode(data, minutes, prefix) {
|
|
|
|
emailAddress := &EmailAddress{UID: user.ID, Email: email}
|
2023-09-14 20:09:32 +03:00
|
|
|
if has, _ := db.GetEngine(ctx).Get(emailAddress); has {
|
2021-11-28 17:11:58 +03:00
|
|
|
return emailAddress
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
|
|
|
// SearchEmailOrderBy is used to sort the results from SearchEmails()
|
|
|
|
type SearchEmailOrderBy string
|
|
|
|
|
|
|
|
func (s SearchEmailOrderBy) String() string {
|
|
|
|
return string(s)
|
|
|
|
}
|
|
|
|
|
|
|
|
// Strings for sorting result
|
|
|
|
const (
|
|
|
|
SearchEmailOrderByEmail SearchEmailOrderBy = "email_address.lower_email ASC, email_address.is_primary DESC, email_address.id ASC"
|
|
|
|
SearchEmailOrderByEmailReverse SearchEmailOrderBy = "email_address.lower_email DESC, email_address.is_primary ASC, email_address.id DESC"
|
|
|
|
SearchEmailOrderByName SearchEmailOrderBy = "`user`.lower_name ASC, email_address.is_primary DESC, email_address.id ASC"
|
|
|
|
SearchEmailOrderByNameReverse SearchEmailOrderBy = "`user`.lower_name DESC, email_address.is_primary ASC, email_address.id DESC"
|
|
|
|
)
|
|
|
|
|
|
|
|
// SearchEmailOptions are options to search e-mail addresses for the admin panel
|
|
|
|
type SearchEmailOptions struct {
|
|
|
|
db.ListOptions
|
|
|
|
Keyword string
|
|
|
|
SortType SearchEmailOrderBy
|
|
|
|
IsPrimary util.OptionalBool
|
|
|
|
IsActivated util.OptionalBool
|
|
|
|
}
|
|
|
|
|
|
|
|
// SearchEmailResult is an e-mail address found in the user or email_address table
|
|
|
|
type SearchEmailResult struct {
|
|
|
|
UID int64
|
|
|
|
Email string
|
|
|
|
IsActivated bool
|
|
|
|
IsPrimary bool
|
|
|
|
// From User
|
|
|
|
Name string
|
|
|
|
FullName string
|
|
|
|
}
|
|
|
|
|
|
|
|
// SearchEmails takes options i.e. keyword and part of email name to search,
|
|
|
|
// it returns results in given range and number of total results.
|
2023-09-14 20:09:32 +03:00
|
|
|
func SearchEmails(ctx context.Context, opts *SearchEmailOptions) ([]*SearchEmailResult, int64, error) {
|
2021-11-28 17:11:58 +03:00
|
|
|
var cond builder.Cond = builder.Eq{"`user`.`type`": UserTypeIndividual}
|
|
|
|
if len(opts.Keyword) > 0 {
|
|
|
|
likeStr := "%" + strings.ToLower(opts.Keyword) + "%"
|
|
|
|
cond = cond.And(builder.Or(
|
|
|
|
builder.Like{"lower(`user`.full_name)", likeStr},
|
|
|
|
builder.Like{"`user`.lower_name", likeStr},
|
|
|
|
builder.Like{"email_address.lower_email", likeStr},
|
|
|
|
))
|
|
|
|
}
|
|
|
|
|
|
|
|
switch {
|
|
|
|
case opts.IsPrimary.IsTrue():
|
|
|
|
cond = cond.And(builder.Eq{"email_address.is_primary": true})
|
|
|
|
case opts.IsPrimary.IsFalse():
|
|
|
|
cond = cond.And(builder.Eq{"email_address.is_primary": false})
|
|
|
|
}
|
|
|
|
|
|
|
|
switch {
|
|
|
|
case opts.IsActivated.IsTrue():
|
|
|
|
cond = cond.And(builder.Eq{"email_address.is_activated": true})
|
|
|
|
case opts.IsActivated.IsFalse():
|
|
|
|
cond = cond.And(builder.Eq{"email_address.is_activated": false})
|
|
|
|
}
|
|
|
|
|
2023-09-14 20:09:32 +03:00
|
|
|
count, err := db.GetEngine(ctx).Join("INNER", "`user`", "`user`.ID = email_address.uid").
|
2021-11-28 17:11:58 +03:00
|
|
|
Where(cond).Count(new(EmailAddress))
|
|
|
|
if err != nil {
|
2022-10-24 22:29:17 +03:00
|
|
|
return nil, 0, fmt.Errorf("Count: %w", err)
|
2021-11-28 17:11:58 +03:00
|
|
|
}
|
|
|
|
|
|
|
|
orderby := opts.SortType.String()
|
|
|
|
if orderby == "" {
|
|
|
|
orderby = SearchEmailOrderByEmail.String()
|
|
|
|
}
|
|
|
|
|
|
|
|
opts.SetDefaultValues()
|
|
|
|
|
|
|
|
emails := make([]*SearchEmailResult, 0, opts.PageSize)
|
2023-09-14 20:09:32 +03:00
|
|
|
err = db.GetEngine(ctx).Table("email_address").
|
2021-11-28 17:11:58 +03:00
|
|
|
Select("email_address.*, `user`.name, `user`.full_name").
|
|
|
|
Join("INNER", "`user`", "`user`.ID = email_address.uid").
|
|
|
|
Where(cond).
|
|
|
|
OrderBy(orderby).
|
|
|
|
Limit(opts.PageSize, (opts.Page-1)*opts.PageSize).
|
|
|
|
Find(&emails)
|
|
|
|
|
|
|
|
return emails, count, err
|
|
|
|
}
|
|
|
|
|
|
|
|
// ActivateUserEmail will change the activated state of an email address,
|
|
|
|
// either primary or secondary (all in the email_address table)
|
2023-09-14 20:09:32 +03:00
|
|
|
func ActivateUserEmail(ctx context.Context, userID int64, email string, activate bool) (err error) {
|
|
|
|
ctx, committer, err := db.TxContext(ctx)
|
2021-11-28 17:11:58 +03:00
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
defer committer.Close()
|
|
|
|
|
|
|
|
// Activate/deactivate a user's secondary email address
|
|
|
|
// First check if there's another user active with the same address
|
2023-12-07 10:27:36 +03:00
|
|
|
addr, exist, err := db.Get[EmailAddress](ctx, builder.Eq{"uid": userID, "lower_email": strings.ToLower(email)})
|
|
|
|
if err != nil {
|
2021-11-28 17:11:58 +03:00
|
|
|
return err
|
2023-12-07 10:27:36 +03:00
|
|
|
} else if !exist {
|
2021-11-28 17:11:58 +03:00
|
|
|
return fmt.Errorf("no such email: %d (%s)", userID, email)
|
|
|
|
}
|
2023-12-07 10:27:36 +03:00
|
|
|
|
2021-11-28 17:11:58 +03:00
|
|
|
if addr.IsActivated == activate {
|
|
|
|
// Already in the desired state; no action
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
if activate {
|
|
|
|
if used, err := IsEmailActive(ctx, email, addr.ID); err != nil {
|
2022-10-24 22:29:17 +03:00
|
|
|
return fmt.Errorf("unable to check isEmailActive() for %s: %w", email, err)
|
2021-11-28 17:11:58 +03:00
|
|
|
} else if used {
|
|
|
|
return ErrEmailAlreadyUsed{Email: email}
|
|
|
|
}
|
|
|
|
}
|
2023-12-07 10:27:36 +03:00
|
|
|
if err = updateActivation(ctx, addr, activate); err != nil {
|
2021-11-28 17:11:58 +03:00
|
|
|
return fmt.Errorf("unable to updateActivation() for %d:%s: %w", addr.ID, addr.Email, err)
|
|
|
|
}
|
|
|
|
|
|
|
|
// Activate/deactivate a user's primary email address and account
|
|
|
|
if addr.IsPrimary {
|
2023-12-07 10:27:36 +03:00
|
|
|
user, exist, err := db.Get[User](ctx, builder.Eq{"id": userID, "email": email})
|
|
|
|
if err != nil {
|
2021-11-28 17:11:58 +03:00
|
|
|
return err
|
2023-12-07 10:27:36 +03:00
|
|
|
} else if !exist {
|
2021-11-28 17:11:58 +03:00
|
|
|
return fmt.Errorf("no user with ID: %d and Email: %s", userID, email)
|
|
|
|
}
|
2023-12-07 10:27:36 +03:00
|
|
|
|
2021-11-28 17:11:58 +03:00
|
|
|
// The user's activation state should be synchronized with the primary email
|
|
|
|
if user.IsActive != activate {
|
|
|
|
user.IsActive = activate
|
|
|
|
if user.Rands, err = GetUserSalt(); err != nil {
|
2022-10-24 22:29:17 +03:00
|
|
|
return fmt.Errorf("unable to generate salt: %w", err)
|
2021-11-28 17:11:58 +03:00
|
|
|
}
|
2023-12-07 10:27:36 +03:00
|
|
|
if err = UpdateUserCols(ctx, user, "is_active", "rands"); err != nil {
|
2022-10-24 22:29:17 +03:00
|
|
|
return fmt.Errorf("unable to updateUserCols() for user ID: %d: %w", userID, err)
|
2021-11-28 17:11:58 +03:00
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
return committer.Commit()
|
|
|
|
}
|