Allow invitation codes for create-account RPCs only

If you define INVITE_CODES_RPC, create-account RPCs must include
a matching invitation code.
Record this code in user.signature to keep track
of where the RPCs are coming from.
This commit is contained in:
David Anderson 2021-01-19 18:48:51 -08:00
parent ba3702e8c8
commit 6948c2d4f1
4 changed files with 25 additions and 14 deletions

View File

@ -202,9 +202,7 @@ struct USER {
int seti_last_result_time; // time of last result (UNIX)
double seti_total_cpu; // number of CPU seconds
char signature[256];
// deprecated as of 9/2004 - may be used as temp
// currently used to store a nonce ID while email address
// is being verified.
// stores invite code, if any, for users created via RPC
bool has_profile;
char cross_project_id[256];
// the "internal" cross-project ID;

View File

@ -121,7 +121,7 @@ create table user (
seti_total_cpu double not null,
signature varchar(254),
-- deprecated
-- stores invite code, if any, for users created via RPC
has_profile smallint not null,
cross_project_id varchar(254) not null,
passwd_hash varchar(254) not null,

View File

@ -44,12 +44,19 @@ if (parse_bool($config, "disable_account_creation_rpc")) {
}
}
if (defined('INVITE_CODES_RPC')) {
$invite_code = get_str("invite_code");
if (!preg_match(INVITE_CODES_RPC, $invite_code)) {
xml_error(-1, "Invalid invitation code");
}
} else {
if (defined('INVITE_CODES')) {
$invite_code = get_str("invite_code");
if (!preg_match(INVITE_CODES, $invite_code)) {
xml_error(-1, "Invalid invitation code");
}
}
}
$email_addr = get_str("email_addr");
$email_addr = strtolower($email_addr);
@ -129,7 +136,13 @@ if ($user) {
xml_error(ERR_DB_NOT_UNIQUE);
}
if (defined('INVITE_CODES')) {
if (defined('INVITE_CODES_RPC')) {
// record the invite code
//
$r = BoincDb::escape_string($invite_code);
$user->update("signature='$r'");
} else if (defined('INVITE_CODES')) {
error_log("Account for '$email_addr' created using invitation code '$invite_code'");
}

View File

@ -19,12 +19,12 @@
require_once("../inc/boinc_db.inc");
require_once("../inc/util.inc");
require_once("../inc/email.inc");
require_once("../inc/account.inc");
function send_validate_email() {
global $master_url;
$user = get_logged_in_user();
$x2 = uniqid(rand(), true);
$user->update("signature='$x2'");
$x2 = make_login_token($user);
send_email(
$user,
tra("Validate BOINC email address"),
@ -44,7 +44,7 @@ function validate() {
error_page(tra("No such user."));
}
$x2 = $user->signature;
$x2 = $user->login_token;
if ($x2 != $x) {
error_page(tra("Error in URL data - can't validate email address"));
}