Opened 8 months ago
Closed 5 weeks ago
#9137 closed enhancement (fixed)
REST API related issues for signups and pending accounts
Reported by: | niftythree | Owned by: | espellcaste |
---|---|---|---|
Milestone: | 15.0.0 | Priority: | highest |
Severity: | normal | Version: | |
Component: | REST API | Keywords: | needs-testing has-patch has-unit-tests |
Cc: |
Description
Hello,
We've come across a few REST API related issues for signups and pending accounts, which occur in specific scenarios or situations.
Scenario 1: Multiple pending accounts can be registered through the REST API with the same email address, but different usernames.
- If one account is activated, and a user tries to activate any additional accounts through either the website or the REST API, it causes a critical error. The additional account(s) is removed from the pending list (activated in the database).
Scenario 2: Account registered through the website, but not yet activated.
- User tries to access something where authorisation is needed (e.g. /members/me/) through the REST API, with the correct email/password or the correct username/password, the user can access information from the area, even though their account is still pending. They do not see an error notifying them that the account isn't active. They are then visible as an active user in the members directory (unless sorted by alphabetical). Other users can interact with the visible non-activated account, both through the website and REST API (e.g. send a private message).
Scenario 3: Account registered through the REST API, but not yet activated.
- User tries to log in through the website with the correct email, and either a correct/incorrect password, they see an error message stating "Unknown email address. Check again or try your username" (i.e. the user isn't told that their account isn't activated and/or that the password is incorrect)
- User tries to access something where authorisation is needed (e.g. /members/me/) through the REST API with the correct email, and either a correct/incorrect password, they see an error message stating "Unknown email address. Check again or try your username." (i.e. the user isn't told that their account isn't activated and/or that the password is incorrect)
- User tries to access something where authorisation is needed (e.g. /members/me/) through the REST API with the correct username and either a correct/incorrect password, they see an error message stating "The username <usernamegoeshere> is not registered on this site. If you are unsure of your username, try your email address instead." (i.e. the user isn't told that their account isn't activated and/or that the password is incorrect).
- Anyone who knows the username of a pending account that's been registered through the REST API, or if a user thinks that username belongs to them, can constantly request the resending of activation emails by entering the username and anything into the password field.
We've tested all of the above with the following set-up:
- WordPress version: 6.5.2
- BuddyPress version: 12.4.0
- BuddyPress Template: Legacy
- Theme: Twenty Twenty-Four
- Plugins active: BuddyPress, JSON Basic Authentication (https://github.com/WP-API/Basic-Auth)
- PHP: 7.4
Thanks.
Change History (19)
#1
@
8 months ago
- Keywords needs-patch needs-testing added
- Milestone changed from Awaiting Review to Up Next
#2
@
8 months ago
@niftythree
Scenario 1: Multiple pending accounts can be registered through the REST API with the same email address, but different usernames.
This one I'm unable to confirm.
This is the message I get if I try to create a signup via the REST API, and the email address is already used in a pending account (not yet activated).
{ "code": "bp_rest_signup_validation_failed", "data": { "status": 500 }, "message": "That email address has already been used. Please check your inbox for an activation email. It will become available in a couple of days if you do nothing." }
This is the message I get if I try to create a signup via the REST API, and the email address is already used in an activated account.
{ "code": "bp_rest_signup_validation_failed", "data": { "status": 500 }, "message": "<strong>Error:</strong> This email address is already registered. <a href=\"https://bar.wp.test/wp-login.php\">Log in</a> with this address or choose another one." }
Scenario 2: Account registered through the website, but not yet activated.
This is actually a known issue that we are fixing in BP 14.0. See #6123 and this commit. In a nutshel, when a new signup is created, users won't be created anymore and the issue you describe won't happen again.
cc: @imath
Scenario 3: Account registered through the REST API, but not yet activated.
User tries to log in through the website with the correct email, and either a correct/incorrect password, they see an error message stating "Unknown email address. Check again or try your username" (i.e. the user isn't told that their account isn't activated and/or that the password is incorrect)
I can't confirm this. I do see the following message in the login screen:
Error: Your account has not been activated. Check your email for the activation link. If you have not received an email yet, click here to resend it.
With the link to activate it: https://bar.wp.test/wp-login.php?action=bp-resend-activation&id=34&_wpnonce=220500b234
User tries to access something where authorisation is needed (e.g. /members/me/) through the REST API with the correct email, and either a correct/incorrect password, they see an error message stating "Unknown email address. Check again or try your username." (i.e. the user isn't told that their account isn't activated and/or that the password is incorrect)
I can confirm this. And the other one too. This is a good addition. o/
Anyone who knows the username of a pending account that's been registered through the REST API, or if a user thinks that username belongs to them, can constantly request the resending of activation emails by entering the username and anything into the password field.
I actually can't confirm this. Currently, the REST API requires a signup id
or email
or activation key
to request sending an activation email.
So it is not possible to use an username of a pending account or password. We do not however protect this endpoint. So it is a public endpoint. And anyone with any of this data, could fire it.
But this information is not public.
#4
@
8 months ago
Hi @espellcaste,
Can you confirm that you've tested each scenario using BuddyPress version 12.4.0? We've been able to replicate each of these issues multiple times on this version.
I actually can't confirm this. Currently, the REST API requires a signup id or email or activation key to request sending an activation email.
So it is not possible to use an username of a pending account or password. We do not however protect this endpoint. So it is a public endpoint. And anyone with any of this data, could fire it.
Please try testing this through the website with BuddyPress version 12.4.0. i.e. register an account through the REST API, and then you will be able to constantly request the resending of activation emails by entering the username and anything into the password field on the website.
Regarding the upcoming next BuddyPress version, we're unable to identify how a user could request the resending of their activation email through the REST API with their email, as you suggested. For example:
https://domain.com/wp-json/buddypress/v1/signup/resend/signupid https://domain.com/wp-json/buddypress/v1/signup/resend/activationkey
These work, but a user does not have access to their signup id or activation key, and therefore can't request their activation email through these means.
https://domain.com/wp-json/buddypress/v1/signup/resend/user@example.com
This does not work. We've tried sending the email address in multiple formats, with no success. Should we be approaching this in a different way?
Thanks.
#5
@
8 months ago
@niftythree
Scenario 1: Multiple pending accounts can be registered through the REST API with the same email address, but different usernames.
I can confirm this using BP 12.4. But as I've noted, and tested, above, this will be fixed in the next milestone (14).
Please try testing this through the website with BuddyPress version 12.4.0. i.e. register an account through the REST API, and then you will be able to constantly request the resending of activation emails by entering the username and anything into the password field on the website.
Oh, you mean the web version, not the REST API. I can confirm this too. But here I'm not sure what could be done. We don't want to avoid people from requesting to resend the email, if necessary. I'll need to talk it over with the team about this one. Maybe we can add some sort of time limit or attempts. Or a hook so that devs can decide how to best approach it from their community.
---
Thanks! You found a bug in the signup endpoint. I have a fix incoming.
This ticket was mentioned in Slack in #buddypress by espellcaste. View the logs.
7 months ago
#7
@
7 months ago
We agreed in the last dev chat that we should add some sort of feedback to the user after locking them for a period of time (maybe an hour, will be configurable). Similar to how WordPress does it for comments.
This ticket was mentioned in PR #341 on buddypress/buddypress by renatonascalves.
5 months ago
#9
- Keywords has-patch has-unit-tests added; needs-patch removed
Here I'm suggesting an approach to block users from constantly request the resending of activation emails. This approach is filterable and flexible. And accounts for both the web version and the REST API.
Trac ticket: https://buddypress.trac.wordpress.org/ticket/9137
#12
@
5 months ago
Hi @espellcaste. We've had a quick look and they look to be working OK. Thanks for your work on this.
As a side note, most items from the original post above in this ticket are still possible with BP14. Please see below:
Scenario 1: Still possible.
Scenario 2: While this is not possible anymore, could we advise the user here that their account is pending?
Scenario 3:
- Point 1: Still possible.
- Point 2: Still possible.
- Point 3: Could we advise the user here that their account is pending?
- Point 4: The second part of this is still possible. You are able to enter a username of a pending account that's been registered through the REST API and any incorrect password (could be one letter) to get the ability to resend the activation email. The user does not have to be correctly logged in.
Thanks.
#13
@
4 months ago
Hi @espellcaste, we wanted to check that you haven't used a multisite when testing the scenarios in our above post?
#14
@
4 months ago
I did. But just for context, we decided to deprecate the V1 of the REST API. We are in the process of building V2, see #9145, and those issues will be fixed as part of V2, but not V1.
So I'll go over those reported issues as part of V2 ticket.
This ticket was mentioned in Slack in #buddypress by espellcaste. View the logs.
2 months ago
This ticket was mentioned in PR #396 on buddypress/buddypress by renatonascalves.
6 weeks ago
#17
Trac ticket: https://buddypress.trac.wordpress.org/ticket/9137
#18
@
6 weeks ago
@niftythree
There is a new pr with the following fixes: https://github.com/buddypress/buddypress/pull/396
Could you take a look at it?
could we advise the user here that their account is pending?
I personally think that's sharing too much information to possibly, or technically, any user.
See this bug report from you, for example:
Anyone who knows the username of a pending account that's been registered through the REST API, or if a user thinks that username belongs to them, can constantly request the resending of activation emails by entering the username and anything into the password field.
In the hope of being helpful to the user, we'd be automatically exposing the user status where bots could use it to DDOS communities, like in the example shared.
I'd rather each community set this up if they think it makes sense, rather than offering as a core feature.
cc: @imath
Thanks for the feedback. I'll be reviewing this...