don't allow creating accounts via the website for similar emailaddresses

mjl- · mjl- · commit 9e2efb82d093 · 2024-03-13T20:15:00.000+01:00
where the "simplified localpart" is identical to an existing account: lowercased, keeping only the part before a "+" or "-", dots removed. during signups via the website, we simply don't create an account, and provide a hint to users. for issue #27
diff --git a/api.go b/api.go
@@ -173,7 +173,7 @@ func xratemeta(tx *bstore.Tx, user User, signup bool) {
 func xcanonicalAddress(email string) string {
 	addr, err := smtp.ParseAddress(email)
 	xusercheckf(err, "validating address")
-	return addr.Pack(true)
+	return addr.String()
 }
 
 // Signup registers a new account. We send an email for users to verify they
@@ -184,6 +184,8 @@ func (API) Signup(ctx context.Context, email string) {
 
 	xrate(ratelimitSignup, reqInfo.Request)
 
+	emailAddr, err := smtp.ParseAddress(email)
+	xusercheckf(err, "validating address")
 	email = xcanonicalAddress(email)
 
 	// Make SMTP connection. If it fails, return error to user.
@@ -200,11 +202,15 @@ func (API) Signup(ctx context.Context, email string) {
 		logCheck(err, "closing smtp connectiong")
 	}()
 
-	user, msg, mailFrom, eightbit, smtputf8, m, err := signup(ctx, email, "", true)
+	user, msg, mailFrom, eightbit, smtputf8, m, err := signup(ctx, emailAddr, "", true)
 	if serr, ok := err.(*sherpa.Error); ok {
 		panic(serr)
 	}
 	xcheckf(err, "adding user to database")
+	if user.ID == 0 {
+		// We didn't create a new account.
+		return
+	}
 
 	// Send the message.
 	submitctx, submitcancel := context.WithTimeout(context.Background(), 10*time.Second)
@@ -219,7 +225,7 @@ func (API) Signup(ctx context.Context, email string) {
 	slog.Info("submitted signup/passwordreset email", "userid", user.ID)
 }
 
-func signup(ctx context.Context, email string, origMessageID string, viaWebsite bool) (user User, msg []byte, mailFrom string, eightbit, smtputf8 bool, m Message, err error) {
+func signup(ctx context.Context, email smtp.Address, origMessageID string, viaWebsite bool) (user User, msg []byte, mailFrom string, eightbit, smtputf8 bool, m Message, err error) {
 	var sendID string
 
 	// Code below can raise panics with sherpa.Error. Catch them an return as regular error.
@@ -236,7 +242,7 @@ func signup(ctx context.Context, email string, origMessageID string, viaWebsite
 	}()
 
 	err = database.Write(ctx, func(tx *bstore.Tx) error {
-		user, err = bstore.QueryTx[User](tx).FilterNonzero(User{Email: email}).Get()
+		user, err = bstore.QueryTx[User](tx).FilterNonzero(User{Email: email.String()}).Get()
 		if err == bstore.ErrAbsent || err == nil && user.VerifyToken != "" {
 			if viaWebsite && config.SignupWebsiteDisabled {
 				return fmt.Errorf("signup via website currently disabled")
@@ -245,6 +251,13 @@ func signup(ctx context.Context, email string, origMessageID string, viaWebsite
 				return fmt.Errorf("signup via email currently disabled")
 			}
 
+			lp := string(email.Localpart)
+			lp = strings.ToLower(lp)             // Not likely anyone hands out different accounts with different casing only.
+			lp = strings.SplitN(lp, "+", 2)[0]   // user+$any@domain
+			lp = strings.SplitN(lp, "-", 2)[0]   // user-any@domain
+			lp = strings.ReplaceAll(lp, ".", "") // Gmail.
+			simplifiedEmail := smtp.Address{Localpart: smtp.Localpart(lp), Domain: email.Domain}
+
 			metaUnsubToken := user.MetaUnsubscribeToken
 			if metaUnsubToken == "" {
 				metaUnsubToken = xrandomID(16)
@@ -259,7 +272,8 @@ func signup(ctx context.Context, email string, origMessageID string, viaWebsite
 			}
 			user = User{
 				ID:                      user.ID,
-				Email:                   email,
+				Email:                   email.String(),
+				SimplifiedEmail:         simplifiedEmail.String(),
 				VerifyToken:             verifyToken,
 				MetaUnsubscribeToken:    metaUnsubToken,
 				UpdatesUnsubscribeToken: updatesUnsubToken,
@@ -269,6 +283,16 @@ func signup(ctx context.Context, email string, origMessageID string, viaWebsite
 				xratemeta(tx, user, true)
 				err = tx.Update(&user)
 			} else {
+				if viaWebsite {
+					exists, err := bstore.QueryTx[User](tx).FilterNonzero(User{SimplifiedEmail: user.SimplifiedEmail}).Exists()
+					xcheckf(err, "checking if similar address already has account")
+					if exists {
+						slog.Info("not allowing creation of duplicate simplified user via website", "email", user.Email, "simplifiedemail", user.SimplifiedEmail)
+						// We're not giving feedback that the user already exists.
+						user = User{}
+						return nil
+					}
+				}
 				user.UpdateInterval = IntervalDay
 				err = tx.Insert(&user)
 			}
diff --git a/data.go b/data.go
@@ -21,7 +21,10 @@ type User struct {
 	ID int64
 
 	// Cannot be changed, users must create a new account instead. todo: improve
-	Email                string `bstore:"nonzero,unique"`
+	Email string `bstore:"nonzero,unique"`
+	// Like email, but with a simplified localpart to prevent duplicate account signup
+	// attempts through the website.
+	SimplifiedEmail      string `bstore:"index"`
 	SaltedHashedPassword string `json:"-"`
 	PasswordResetToken   string `bstore:"index" json:"-"`
 
diff --git a/imap.go b/imap.go
@@ -359,7 +359,7 @@ func processMessage(imapconn *imapclient.Conn, uid uint32) (problem string, rerr
 		// todo: if we didn't find dmarc=none, we could try looking up the dmarc record and applying it. perhaps good to again evaluate the dmarc record with the spf/dkim details we found: the dmarc policy may have a setting where it applies to fewer than 100% of the messages. we can probably be more strict.
 		authres := msg.Header.Get("Authentication-Results")
 		if authres == "" {
-			return fmt.Sprintf("missing authentication-results in message, cannot validate from address"), nil
+			return "missing authentication-results in message, cannot validate from address", nil
 		}
 		ar, err := message.ParseAuthResults(authres + "\n")
 		if err != nil {
@@ -390,7 +390,7 @@ func processMessage(imapconn *imapclient.Conn, uid uint32) (problem string, rerr
 					good = true
 					break Methods
 				case "fail":
-					return fmt.Sprintf(`message contained a dmarc failure, not responding`), nil
+					return `message contained a dmarc failure, not responding`, nil
 				}
 			case "spf":
 				if am.Result == "pass" {
@@ -429,16 +429,19 @@ func processMessage(imapconn *imapclient.Conn, uid uint32) (problem string, rerr
 			}
 		}
 		if !good {
-			return fmt.Sprintf(`"from" address not aligned-dmarc-verified`), nil
+			return `"from" address not aligned-dmarc-verified`, nil
 		}
 
 		// Message seems legit. Lookup the user. If no account yet, we'll try to create it.
 		// If user exists, we'll send a password reset. Like the regular signup form.
 		ctx, cancel := context.WithTimeout(context.Background(), 30*time.Second)
 		defer cancel()
-		user, msg, mailFrom, eightbit, smtputf8, m, err := signup(ctx, fromAddr.String(), env.MessageID, false)
+		user, msg, mailFrom, eightbit, smtputf8, m, err := signup(ctx, fromAddr, env.MessageID, false)
 		if err != nil {
 			return fmt.Sprintf("registering signup for user %q: %v", fromAddr.String(), err), nil
+		} else if user.ID == 0 {
+			// Should not happen for email-based signup.
+			return "missing user id after signup", nil
 		}
 
 		// Check if we can send. If not, abort.
diff --git a/index.js b/index.js
@@ -1113,7 +1113,7 @@ const overview = async () => {
 	dom._kids(document.body, page);
 };
 const signedup = (email) => {
-	dom._kids(document.body, dom.div(dom._class('page'), dom.h1('Account created'), dom.p("We've sent an email to ", dom.b(email), " with a confirmation link."), dom.p("If the email is not coming in, don't forget to check your spam mailbox. Also, some mail servers employ 'grey listing', holding off first-time deliveries for up to half an hour."), dom.p("Go back ", dom.a(attr.href('#'), 'home', function click() { route(); }), '.')));
+	dom._kids(document.body, dom.div(dom._class('page'), dom.h1('Account created'), dom.p(dom.span("If all is well", attr.title('If you already have an account with essentially the same email address (wildcards removed, etc), you can not create another account via the website, only by sending us a signup email.')), ", we've sent an email to ", dom.b(email), " with a confirmation link."), dom.p("If the email is not coming in, don't forget to check your spam mailbox. Also, some mail servers employ 'grey listing', holding off first-time deliveries for up to half an hour."), dom.p("Go back ", dom.a(attr.href('#'), 'home', function click() { route(); }), '.')));
 };
 const signup = (home) => {
 	let fieldset;
@@ -1128,7 +1128,7 @@ const signup = (home) => {
 		dom.p('Send us an email with "signup for ', home.ServiceName, '" as the subject:'),
 		dom.p(style({ marginLeft: '3em' }), dom.a(attr.href('mailto:' + encodeURIComponent(home.SignupAddress) + '?subject=' + encodeURIComponent('signup for ' + home.ServiceName) + '&body=' + encodeURIComponent('sign me up for gopherwatch!')), home.SignupAddress)),
 		dom.p(`Any message body will do, it's ignored. You'll get a reply with a link to confirm and set a password, after which we'll automatically log you in. Easy.`),
-		home.SignupWebsiteDisabled ? [] : dom.p("Sending us the first email ", dom.span("helps your junk filter realize we're good people.", attr.title(`Because our email address will be a known correspondent in your account. It may also prevent delays in delivery. Hopefully your junk filter will seize the opportunity!`))),
+		home.SignupWebsiteDisabled ? [] : dom.p("Sending us the first email ", dom.span("helps your junk filter realize we're good people.", attr.title(`Because our email address will be a known correspondent in your account. It may also prevent delays in delivery. Hopefully your junk filter will seize the opportunity! On top of that, it will also prevent us from being misused into sending messages to unsuspecting people, because we only reply to messages from legitimate senders (spf/dkim/dmarc-verified). For similar reasons, you can only sign up with wildcard email addresses (like user+$anything@domain) via email and not via the website.`))),
 		dom.br(),
 	], home.SignupWebsiteDisabled ? [] : [
 		home.SignupEmailDisabled ? [] : dom.h2('Option 2: Signup through website'),
diff --git a/index.ts b/index.ts
@@ -546,7 +546,7 @@ const signedup = (email: string) => {
 	dom._kids(document.body,
 		dom.div(dom._class('page'),
 			dom.h1('Account created'),
-			dom.p("We've sent an email to ", dom.b(email), " with a confirmation link."),
+			dom.p(dom.span("If all is well", attr.title('If you already have an account with essentially the same email address (wildcards removed, etc), you can not create another account via the website and we actually did not send you an email. You can only sign up with those similar addresses through a signup email.')), ", we've sent an email to ", dom.b(email), " with a confirmation link."),
 			dom.p("If the email is not coming in, don't forget to check your spam mailbox. Also, some mail servers employ 'grey listing', holding off first-time deliveries for up to half an hour."),
 			dom.p("Go back ", dom.a(attr.href('#'), 'home', function click() { route() }), '.'),
 		),
@@ -574,7 +574,7 @@ const signup = (home: api.Home) => {
 				dom.p('Send us an email with "signup for ', home.ServiceName, '" as the subject:'),
 				dom.p(style({marginLeft: '3em'}), dom.a(attr.href('mailto:'+encodeURIComponent(home.SignupAddress)+'?subject='+encodeURIComponent('signup for '+home.ServiceName) + '&body='+encodeURIComponent('sign me up for gopherwatch!')), home.SignupAddress)),
 				dom.p(`Any message body will do, it's ignored. You'll get a reply with a link to confirm and set a password, after which we'll automatically log you in. Easy.`),
-				home.SignupWebsiteDisabled ? [] : dom.p("Sending us the first email ", dom.span("helps your junk filter realize we're good people.", attr.title(`Because our email address will be a known correspondent in your account. It may also prevent delays in delivery. Hopefully your junk filter will seize the opportunity!`))),
+				home.SignupWebsiteDisabled ? [] : dom.p("Sending us the first email ", dom.span("helps your junk filter realize we're good people.", attr.title(`Because our email address will be a known correspondent in your account. It may also prevent delays in delivery. Hopefully your junk filter will seize the opportunity! On top of that, it will also prevent us from being misused into sending messages to unsuspecting people, because we only reply to messages from legitimate senders (spf/dkim/dmarc-verified). For similar reasons, you can only sign up with wildcard email addresses (like user+$anything@domain) via email and not via the website.`))),
 				dom.br(),
 			],
 
