From 85199c72f0d90932ab42f377ff457ce8376b19ed Mon Sep 17 00:00:00 2001 From: Vitaly Takmazov Date: Fri, 24 May 2024 15:19:14 +0300 Subject: Do not allow disposable emails --- src/main/java/com/juick/service/EmailService.java | 3 +- .../java/com/juick/service/EmailServiceImpl.java | 36 ++++++++++++++++++- .../java/com/juick/www/controllers/Settings.java | 42 ++++++++++++---------- 3 files changed, 60 insertions(+), 21 deletions(-) (limited to 'src/main/java') diff --git a/src/main/java/com/juick/service/EmailService.java b/src/main/java/com/juick/service/EmailService.java index 614cf412..7d8126c5 100644 --- a/src/main/java/com/juick/service/EmailService.java +++ b/src/main/java/com/juick/service/EmailService.java @@ -1,5 +1,5 @@ /* - * Copyright (C) 2008-2023, Juick + * Copyright (C) 2008-2024, Juick * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU Affero General Public License as @@ -39,4 +39,5 @@ public interface EmailService { String getEmailByAuthCode(String code); void deleteAuthCode(String code); Integer cleanupAuthCodes(); + boolean isValidEmail(String email); } diff --git a/src/main/java/com/juick/service/EmailServiceImpl.java b/src/main/java/com/juick/service/EmailServiceImpl.java index 383dbdaf..08aaf1b9 100644 --- a/src/main/java/com/juick/service/EmailServiceImpl.java +++ b/src/main/java/com/juick/service/EmailServiceImpl.java @@ -1,5 +1,5 @@ /* - * Copyright (C) 2008-2020, Juick + * Copyright (C) 2008-2024, Juick * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU Affero General Public License as @@ -17,13 +17,21 @@ package com.juick.service; +import com.fasterxml.jackson.databind.ObjectMapper; import com.juick.model.User; +import jakarta.inject.Inject; +import okhttp3.OkHttpClient; +import okhttp3.Request; import org.apache.commons.lang3.StringUtils; +import org.springframework.beans.factory.annotation.Value; import org.springframework.dao.EmptyResultDataAccessException; +import org.springframework.http.HttpHeaders; +import org.springframework.http.MediaType; import org.springframework.jdbc.core.namedparam.MapSqlParameterSource; import org.springframework.stereotype.Repository; import org.springframework.transaction.annotation.Transactional; +import java.io.IOException; import java.time.Instant; import java.time.ZoneOffset; import java.time.temporal.ChronoUnit; @@ -36,6 +44,13 @@ import java.util.List; @Transactional public class EmailServiceImpl extends BaseJdbcService implements EmailService { + @Inject + private OkHttpClient httpClient; + @Inject + private ObjectMapper jsonMapper; + + @Value("${email_validation_service_url:http://localhost:8080}") + private String emailValidationServiceUrl; @Override public boolean verifyAddressByCode(Integer userId, String code) { try { @@ -120,4 +135,23 @@ public class EmailServiceImpl extends BaseJdbcService implements EmailService { new MapSqlParameterSource() .addValue("day", toDateTime(day.atOffset(ZoneOffset.UTC)), dateTimeType())); } + + @Override + public boolean isValidEmail(String email) { + var request = new Request.Builder() + .url(emailValidationServiceUrl + "/?email=" + email) + .addHeader(HttpHeaders.ACCEPT, MediaType.APPLICATION_JSON_VALUE) + .build(); + try { + try(var response = httpClient.newCall(request).execute()) { + if (response.isSuccessful() && response.body() != null) { + var account = jsonMapper.readTree(response.body().string()); + return account.has("disposable") && account.get("disposable").textValue().equals("false"); + } + } + } catch (IOException e) { + return false; + } + return false; + } } diff --git a/src/main/java/com/juick/www/controllers/Settings.java b/src/main/java/com/juick/www/controllers/Settings.java index 457985b5..8d66bd36 100644 --- a/src/main/java/com/juick/www/controllers/Settings.java +++ b/src/main/java/com/juick/www/controllers/Settings.java @@ -1,5 +1,5 @@ /* - * Copyright (C) 2008-2023, Juick + * Copyright (C) 2008-2024, Juick * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU Affero General Public License as @@ -175,25 +175,29 @@ public class Settings { } break; case "email-add": - if (!emailService.verifyAddressByCode(visitor.getUid(), request.getParameter("account"))) { - String authCode = RandomStringUtils.randomAlphanumeric(8).toUpperCase(); - if (emailService.addVerificationCode(visitor.getUid(), request.getParameter("account"), authCode)) { - Session session = Session.getDefaultInstance(System.getProperties()); - try { - MimeMessage message = new MimeMessage(session); - message.setFrom(new InternetAddress("noreply@juick.com")); - message.addRecipient(Message.RecipientType.TO, new InternetAddress(request.getParameter("account"))); - message.setSubject("Juick authorization link"); - message.setText(String.format("Follow link to attach this email to Juick account:\n" + - "http://juick.com/settings?page=auth-email&code=%s\n\n" + - "If you don't know, what this mean - just ignore this mail.\n", authCode)); - Transport.send(message); - result = "
Authorization link has been sent to your email. Follow it to proceed.
" + - ""; + if (!emailService.isValidEmail(request.getParameter("account"))) { + result = "Invalid email. Back.
"; + } else { + if (!emailService.verifyAddressByCode(visitor.getUid(), request.getParameter("account"))) { + String authCode = RandomStringUtils.randomAlphanumeric(8).toUpperCase(); + if (emailService.addVerificationCode(visitor.getUid(), request.getParameter("account"), authCode)) { + Session session = Session.getDefaultInstance(System.getProperties()); + try { + MimeMessage message = new MimeMessage(session); + message.setFrom(new InternetAddress("noreply@juick.com")); + message.addRecipient(Message.RecipientType.TO, new InternetAddress(request.getParameter("account"))); + message.setSubject("Juick authorization link"); + message.setText(String.format("Follow link to attach this email to Juick account:\n" + + "http://juick.com/settings?page=auth-email&code=%s\n\n" + + "If you don't know, what this mean - just ignore this mail.\n", authCode)); + Transport.send(message); + result = "Authorization link has been sent to your email. Follow it to proceed.
" + + ""; - } catch (MessagingException ex) { - logger.error("mail exception", ex); - throw new HttpBadRequestException(); + } catch (MessagingException ex) { + logger.error("mail exception", ex); + throw new HttpBadRequestException(); + } } } } -- cgit v1.2.3