Bug: Email verification bypassed on account creation.

[MatinatorX]

@Ylianst This works if you create the user yourself, but if the user creates an account from the login screen themselves, the system automatically logs them in immediately after account creation, bypassing verification. Only if the user then logs out and tries to log back will the verification screen show.

Originally posted by @MatinatorX in https://github.com/Ylianst/MeshCentral/issues/1188#issuecomment-618829997

Opening a new issue since this bug is still present. I also spun up a fresh VPS to test on a new MeshCentral install.

After account creation, email validation successfully blocks login attempts until the email address is validated. However, as part of the account creation process, users are logged in automatically after creation and without email verification. Logging out and attempting to log back in correctly blocks the attempt. This means users who know the domain suffix can have unrestricted access to all default devices and groups after account creation until they are logged out.

[Ylianst]

Ok, thanks for raising this up again. I need some sort of issue voting system.

[Ylianst]

Can you describe step-by-step how to make this problem happen? How is the account created? When options are selected? A quick example would be much appreciated. It will avoid me having to try to guess. Thanks.

[MatinatorX]

Of course:

• From Login portal, click "Create one".
• Enter valid email and password.
• Click "Create Account".
• MeshCentral automatically logs you in. Access is restricted in the same way as when 2FA is forced but not set up (popup prevents creating a device group etc.) but that still leaves some room for abuse.

Clicking "Logout" then trying to log back in with the user you just created blocks the attempt as it should with the standard "Email verification required, check your mailbox and click the confirmation link." screen.

[MatinatorX]

@Ylianst I know it's been a while and things are very busy, but just wanted to check if there had been time to look into this at all. We are starting to make use of tenancy and with that the risk of "spam" accounts goes up even with domain filtering. Would be amazing if users did not automatically get logged in on account creation and if accounts did not get added until email verification or were automatically deleted after a day or so if email verification was not completed.

I haven't yet heard of this being abused in any way, but can definitely see it being a problem in the future as the Mesh userbase continues to grow.