Managing membership does not check for email provisioning

[nhumblot]

Hi!

I faced a small issue when requesting an OWASP email address.

I did not get an email notification and could not see any information in the "Manage Your Information".

By looking at the source code of the page : https://github.com/OWASP/owasp.github.io/blob/master/pages/manage-membership.md

If found this snippet:

      <div v-if="provision_email_message == true">
           Your chosen email was created.  Please go to <a href="https://mail.google.com">Google Mail</a> and logout of any current account or click Add another account.  Choose 'Forgot password' and 'try another way' then 'receive a verification code'.
      </div>

provision_email_message is not set to true while it should have been.

By looking at my devtools, I didn't see any rest call to https://owaspadmin.azurewebsites.net/api/provisionemail, the promise following this call looks to be the only place where provision_email_message is set to true.

After seeing this, I went to GMail and initiated and forgotten password on my OWASP e-mail address, after that I've been able to get access to it.

I will try to continue the investigation for preventing this issue. If a maintainer wants to share any input regarding this, I will gladly take any advice.

Thank you for your help Kind regards

[nhumblot]

Adding more information,

Request to https://owaspadmin.azurewebsites.net/api/provisionemail is performed when executing redirectToAzure(). This function is called when clicking on a button available in the user interface when userData.emaillist.length > 0.

userData.emaillist is fetched as a response from a POST request to https://owaspadmin.azurewebsites.net/api/billingmanagement.

When requesting a new token to manage my information with my e-mail address used to join the OWASP foundation, I then access to the "Manage my information" page, a request is performed to https://owaspadmin.azurewebsites.net/api/billingmanagement and I get the following response:

{
  "status": "OK",
  "data": {
    "membership": {
      "membership_name": "One Year Membership",
      "membership_recurring": false,
      "membership_end": "12/06/2021"
    },
    "subscriptions": [],
    "emaillist": []
  }
}

Based on the front-end code, in my case, emaillist should have one element with my OWASP email address.

Is this rest api source code accessible? A search on billingmanagement on the owasp organization returns the manage-membership page and two issues on this project (this one included).

Thank you for your help.

[hblankenship]

The call to manage-membership to retrieve possible email addresses only works once. When you choose an email address, it will return nothing in that list. I suspect you first chose an email address when you originally provisioned the email. The return page posts the following information:

Your chosen email was created. Please go to Google Mail and logout of any current account or click Add another account. Choose 'Forgot password' and 'try another way' then 'receive a verification code'.

If you did not see it the first time then you will not see it again, unfortunately.

[nhumblot]

Thank you for your answer.

I've already been able to get my e-mail address but I wanted to share this because I thought there was a bug.

This behaviour seems to be deliberate and the code is working as expected.

I'm closing the issue, sorry for the inconvenience.

[danmullen]

I've experienced exactly the same issue. Just signed up, went to manage my membership, saw the OWASP.org email address allocated to me and clicked to provision it. Got a message saying, "Please wait... this may take some time". I've been waiting around 15 minutes, no change to the on-screen message, no email confirmation, etc.

Edit: should have clarified, I was also able to access my new account by going through Google's "forgotten password" process. There is definitely an issue on the OWASP.org site.

[nhumblot]

Hello,

Another member looks to face an issue with this mechanism and reported it on the OWASP Slack : https://owasp.slack.com/archives/C04T40NND/p1614190195049600

I'm reopening this issue as it looks there is something unusual or not clear for provisioning an e-mail.

If maintainers of the project do not agree about this, feel free to close it back. If an issue or an improvement is identified, I will gladly try to help.

[kanika-banga]

Hello! Greetings of the day. I am kanika banga. I am a Computer Science student pursuing BCA 2nd year. I would like to contribute to your organization as I find it very well suitable for me. I wanted to ask if I can work on my own project. The project name is Palm Detection. Its security related project. Technology used would be HTML, CSS & Javascript or Python. It is more secure than other biometrics because it is never exposed. This project would be best for the future as the technology would be enhanced using internal organ rather than outer ones. As palm has more surface area than fingers or iris , so , It provide us more accurate results than other biometrics. The biometric being scanned is from a real person only , so , It cant be stolen or duplicated. As the palm recognition is internal, It offers you with privacy advantage as well. Palm vein scanner is resistant to dirt, dust, dryness , moisture , etc. So, It is very much reliable. Please consider this project. It would be a great opportunity for me to be guided by you. Thank you Stay Safe

[hblankenship]

There was an error in the way the errors were assigned. This should be fixed but, as noted, the error, if a timeout or similar, may not be accurate and the email address may have been provisioned anyway. If that is the case, the advice regarding 'forgot password' above still applies. You should be able to determine this by going back to https://owasp.org/manage-membership and re-submitting your email address; when you visit the link it should show a provisioned email instead of the button to provision an email.