1

I need to stop users from abusing allauth's ability to send users verification & password reset emails so that my email provider does not temporarily suspend my email address for sending too many emails.

On the /accounts/email/ page, a user could click the re-send verification all they want and an email gets sent every click.

I noticed an ACCOUNT_EMAIL_CONFIRMATION_COOLDOWN setting but am not entirely sure how it works. I tried testing it and am still able to spam click and have the emails get sent every click.

On the /accounts/password/reset/ page, this issue occurs:

https://github.com/pennersr/django-allauth/issues/2167

The creator mentions doing something like this to alleviate it:

https://github.com/pennersr/django-allauth/issues/1008

Maybe this can be used to solve both problems? How would you implement it with the allauth code?

https://stackoverflow.com/a/2157688/13955916

Would rate limiting or throttling solve this? If so, what would a code example be for this?

I have recaptcha v3 on both pages. But that doesn't stop human spam farms.

I came up with a client side javascript cookie solution but am afraid it will not be effective to stop these problems since it is not a server side solution:

button.disabled,
button[disabled] {
    box-shadow: none;
    cursor: not-allowed;
    opacity: 0.5;
    pointer-events: none;
}
​
<button id="re-send" class="secondaryAction" type="submit" name="action_send" >{% trans 'Re-send Verification' %}</button>
​
​
<script>
  const resendBtn = document.getElementById("re-send");
  resendBtn.addEventListener("click", disable);
​
var cookieString = getCookie("cookieName");
if(cookieString == "mysite"){
    var btn = document.querySelector('#re-send');
    btn.classList.add('disabled');
}
​
function setCookie(){
   days=1;
   myDate = new Date();
   myDate.setTime(myDate.getTime()+(days*24*60*60*1000));
   document.cookie = 'cookieName=mysite; expires=' + myDate.toGMTString();
}
​
function getCookie(cname) {
    var name = cname + "=";
    var ca = document.cookie.split(';');
    for(var i=0; i<ca.length; i++) {
        var c = ca[i];
        while (c.charAt(0)==' ') c = c.substring(1);
        if (c.indexOf(name) == 0) return c.substring(name.length,c.length);
    }
    return "";
}
​
  function disable() {
    var btn = document.querySelector('#re-send');
    btn.classList.add('disabled');
    setCookie();
  };
​
​
function runFunction(){
    var testElement = document.getElementById('re-send');
if (!testElement.classList.contains('disabled') && (getCookie("cookieName") == "mysite")) {
    var btn = document.querySelector('#re-send');
    btn.classList.add('disabled');
}
};
​
setInterval(runFunction,1000);
​
</script>
omlande
  • 11
  • 6

0 Answers0