From 043be60f256a99c648ae0429480c573934b448cb Mon Sep 17 00:00:00 2001
From: Alex Bogdanovski <alex@erudika.com>
Date: Mon, 2 Aug 2021 02:18:10 +0300
Subject: [PATCH] fixed possible spamming by resending confirmation emails

---
 .../scoold/controllers/SigninController.java  | 19 +++++++++++++++----
 1 file changed, 15 insertions(+), 4 deletions(-)

diff --git a/src/main/java/com/erudika/scoold/controllers/SigninController.java b/src/main/java/com/erudika/scoold/controllers/SigninController.java
index b4defa23..45cef1d2 100755
--- a/src/main/java/com/erudika/scoold/controllers/SigninController.java
+++ b/src/main/java/com/erudika/scoold/controllers/SigninController.java
@@ -182,9 +182,20 @@ public String signup(@RequestParam String name, @RequestParam String email, @Req
 	}
 
 	@PostMapping("/signin/register/resend")
-	public String signup(@RequestParam String email, HttpServletRequest req, HttpServletResponse res, Model model) {
-		if (!utils.isAuthenticated(req) && isAccountLocked(email)) {
-			utils.sendVerificationEmail(email, req);
+	public String resend(@RequestParam String email, HttpServletRequest req, HttpServletResponse res, Model model) {
+		if (!utils.isAuthenticated(req)) {
+			Sysprop ident = pc.read(email);
+			// confirmation emails can be resent once every 6h
+			if (ident != null && !StringUtils.isBlank((String) ident.getProperty(Config._EMAIL_TOKEN)) &&
+					(!ident.hasProperty("confirmationTimestamp") || Utils.timestamp() >
+					((long) ident.getProperty("confirmationTimestamp") + TimeUnit.HOURS.toMillis(6)))) {
+				User u = pc.read(Utils.type(User.class), ident.getCreatorid());
+				if (u != null && !u.getActive()) {
+					utils.sendVerificationEmail(email, req);
+					ident.addProperty("confirmationTimestamp", Utils.timestamp());
+					pc.update(ident);
+				}
+			}
 		}
 		return "redirect:" + SIGNINLINK + "/register?verify=true";
 	}
@@ -303,7 +314,7 @@ private boolean isEmailRegistered(String email) {
 		return ident != null && ident.hasProperty(Config._PASSWORD);
 	}
 
-	public boolean isAccountLocked(String email) {
+	private boolean isAccountLocked(String email) {
 		Sysprop ident = pc.read(email);
 		if (ident != null && !StringUtils.isBlank((String) ident.getProperty(Config._EMAIL_TOKEN))) {
 			User u = pc.read(Utils.type(User.class), ident.getCreatorid());