From 93cd2d30e484a806982c8318acee4117bea6ea53 Mon Sep 17 00:00:00 2001 From: Neeraj Gupta <254676+ua741@users.noreply.github.com> Date: Sat, 10 May 2025 07:22:28 +0530 Subject: [PATCH] Improve handling for ott errors --- server/pkg/controller/user/user.go | 3 +++ server/pkg/controller/user/userauth.go | 24 +++++++++++++++++++----- 2 files changed, 22 insertions(+), 5 deletions(-) diff --git a/server/pkg/controller/user/user.go b/server/pkg/controller/user/user.go index aacb5a64f3..048eaa54df 100644 --- a/server/pkg/controller/user/user.go +++ b/server/pkg/controller/user/user.go @@ -59,6 +59,7 @@ type UserController struct { UserCache *cache2.UserCache UserCacheController *usercache.Controller SRPLimiter *limiter.Limiter + OTTLimiter *limiter.Limiter } const ( @@ -125,6 +126,7 @@ func NewUserController( userCacheController *usercache.Controller, ) *UserController { srpLimiter := util.NewRateLimiter("100-H") + ottLimiter := util.NewRateLimiter("100-H") return &UserController{ UserRepo: userRepo, UsageRepo: usageRepo, @@ -151,6 +153,7 @@ func NewUserController( UserCache: userCache, UserCacheController: userCacheController, SRPLimiter: srpLimiter, + OTTLimiter: ottLimiter, } } diff --git a/server/pkg/controller/user/userauth.go b/server/pkg/controller/user/userauth.go index 13be40d6d6..ae20dff124 100644 --- a/server/pkg/controller/user/userauth.go +++ b/server/pkg/controller/user/userauth.go @@ -83,7 +83,7 @@ func hardcodedOTTForEmail(hardCodedOTT HardCodedOTT, email string) string { // SendEmailOTT generates and sends an OTT to the provided email address func (c *UserController) SendEmailOTT(context *gin.Context, email string, purpose string) error { - if err := c.validateSendOTT(email, purpose); err != nil { + if err := c.validateSendOTT(context, email, purpose); err != nil { return err } ott, err := random.GenerateSixDigitOtp() @@ -142,7 +142,7 @@ func (c *UserController) isEmailAlreadyUsed(email string) error { return nil } -func (c *UserController) validateSendOTT(email string, purpose string) error { +func (c *UserController) validateSendOTT(ctx *gin.Context, email string, purpose string) error { if purpose == ente.ChangeEmailOTTPurpose { if err := c.isEmailAlreadyUsed(email); err != nil { return err @@ -155,13 +155,27 @@ func (c *UserController) validateSendOTT(email string, purpose string) error { if purpose == ente.SignUpOTTPurpose && viper.GetBool("internal.disable-registration") && !isSignUpComplete { return stacktrace.Propagate(ente.ErrPermissionDenied, "registration is disabled") } + // + var registrationErr error if purpose == ente.SignUpOTTPurpose && isSignUpComplete { - return stacktrace.Propagate(ente.ErrUserAlreadyRegistered, "user has already completed sign up process") + registrationErr = stacktrace.Propagate(ente.ErrUserAlreadyRegistered, "user has already completed sign up process") } if purpose == ente.LoginOTTPurpose && !isSignUpComplete { - return stacktrace.Propagate(ente.ErrUserNotRegistered, "user has not completed sign up process") + registrationErr = stacktrace.Propagate(ente.ErrUserNotRegistered, "user has not completed sign up process") } - return nil + // if no registration error, return + if registrationErr == nil { + return registrationErr + } + // check & swallow registration information error if too many such + // errors are generated in a short time + if limiter, limitErr := c.OTTLimiter.Get(ctx, "send-ott"); limitErr != nil { + if limiter.Reached { + go c.DiscordController.NotifyPotentialAbuse("swallowing send-ott registration error") + return nil + } + } + return registrationErr } // isSignUpComplete checks if the user has completed the entire signup process.