upload: improve error message for double verifications

Keep a rate limiter token around, and tell the user that a link was already clicked recently if that is the case.
2019-09-26 22:58:52 +02:00 · 2019-09-26 22:58:52 +02:00 · ecdf1001f4
parent 02321777b9
commit ecdf1001f4
4 changed files with 20 additions and 2 deletions
--- a/dist/templates/upload/already-verified.html.hbs
+++ b/dist/templates/upload/already-verified.html.hbs
@ -0,0 +1,3 @@
+{{#> layout }}
+  <p>This address was already verified.</p>
+{{/layout}}
--- a/src/web/mod.rs
+++ b/src/web/mod.rs
@ -1098,6 +1098,10 @@ pub mod tests {

        let response = client.post(&confirm_uri).dispatch();
        assert_eq!(response.status(), Status::Ok);
+
+        let mut response_second = client.post(&confirm_uri).dispatch();
+        assert_eq!(response_second.status(), Status::BadRequest);
+        assert!(response_second.body_string().unwrap().contains("already verified"));
    }

    fn check_mails_and_confirm_deletion(client: &Client, filemail_path: &Path, address: &str) {
--- a/src/web/vks.rs
+++ b/src/web/vks.rs
@ -263,7 +263,7 @@ pub fn verify_confirm(
 ) -> response::PublishResponse {
    let (fingerprint, email) = match check_publish_token(&db, &token_service, token) {
        Ok(x) => x,
-        Err(_) => return PublishResponse::err("token verification failed"),
+        Err(_) => return PublishResponse::err("Invalid verification token!"),
    };

    response::PublishResponse::Ok {
--- a/src/web/vks_web.rs
+++ b/src/web/vks_web.rs
@ -446,10 +446,13 @@ pub fn request_verify_form_data(
 pub fn verify_confirm(
    db: rocket::State<KeyDatabase>,
    token_service: rocket::State<StatefulTokens>,
+    rate_limiter: rocket::State<RateLimiter>,
    token: String,
 ) -> MyResponse {
+    let rate_limit_id = format!("verify-token-{}", &token);
    match vks::verify_confirm(db, token_service, token) {
        PublishResponse::Ok { fingerprint, email } => {
+            rate_limiter.action_perform(rate_limit_id);
            let userid_link = uri!(search: &email).to_string();
            let context = template::Verify {
                verified: true,
@ -462,7 +465,15 @@ pub fn verify_confirm(

            MyResponse::ok("upload/publish-result", context)
        },
-        PublishResponse::Error(error) => MyResponse::plain(error),
+        PublishResponse::Error(error) => {
+            if rate_limiter.action_check(rate_limit_id) {
+                MyResponse::bad_request(
+                    "400-plain", failure::err_msg(error))
+            } else {
+                MyResponse::bad_request(
+                    "upload/already-verified", failure::err_msg(""))
+            }
+        }
    }
 }