validation link sent by email can be used multiple times

[moscicki]

Following issue #34: I can actually access the validation link (sent by email -- below) multiple times and every time I get a form to fill in my details.

Once the account is validated accessing this link should end up on a page saying that the account has already been activated.

Registration email:

Registration at Up2U IdP - email validation
Hi thanks for using the Up2U IdP service. This e-mail is sent so that you can verify your e-mail address:

me@gmail.com

In order to continue registration of a new user on Up2U IdP, visit the following URL:

https://sso.up2university.eu/simplesaml/module.php/selfregister/newUser.php?email=me%40gmail.com&token=XXX

This URL contains a secret token that validates your e-mail address. This token is valid for only 5 days. If this token expire, you have to request a new token by starting the registration over again.

Kind regards Up2U IdP

[michzimny]

@moscicki, are you able to say what happens if you fill up the form for the second time?

I think the answer will tell us how critical the issue is.

[moscicki]

Not sure what happens (I am in the middle of functional tests so I prefer not to break it ;-) but it should be very easy to test by the dev team. Thx ;-)

On Wed, May 2, 2018 at 1:59 PM, Michał Zimniewicz notifications@github.com wrote:

@moscicki https://github.com/moscicki, are you able to say what happens if you fill up the form for the second time?

I think the answer will tell us how critical the issue is.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/up2university/single-sign-on/issues/35#issuecomment-385953768, or mute the thread https://github.com/notifications/unsubscribe-auth/AAl9jWtp-pDFya9RS715nzp5sM0I_aohks5tuZ-2gaJpZM4TvUgd .

--

Best regards, Kuba

[michzimny]

Filling the form for the second time creates a second user account and makes the both accounts inaccessible.

When logging in, such a user gets the following message:

Error Authentication source error Authentication error in source 'ldap'. The reason was: 'Library - LDAP search(): Found 2 entries searching base \'ou=up2university,dc=gwdg,dc=de\' for \'(|(uid=$EMAIL_ADDRESS$)(mailAddresses=$EMAIL_ADDRESS$)(mail=$EMAIL_ADDRESS$))\''

where $EMAIL_ADDRESS$ is user's email address.

[foobarable]

Thats indeed not good. Looking into it

[m0ark]

The validation link cannot be invalidated as of now. It's an unfortunate use of a time based token by the original author. However the token cannot be used to create another account since the email address has already been taken by creating an account in the first place.

From my point of view this should be considered low priority until we got a service for one time use tokens.

[michzimny]

@m0ark, I think it would has a low priority if using the link for the second time did not allow to create a second account and did not make both accounts inaccessible.