email: add verification cool down to prevent abuse (!8136) · Merge requests · Warren Gifford / sourcegraph

Warren Gifford requested to merge jc/email-verification-cool-down into master Jan 30, 2020

Created by: unknwon

This PR adds a so-called "email verification cool down" mechanism to prevent abuse someone else's email in high frequency, this mechanism could be used for single email.

Notes:

~~Add a new site configuration option { "email.verification": { "coolDown": "30s" } } (naming subject to change if there is a better one!)~~
Prevent user from signing up with a previously used email until the email address is cooled down
~~Prevent user from adding another email to the account until the user as a whole is cooled down~~
The mechanism will not be triggered if the Sourcegraph instance does not require email verification

Manually tested and added unit tests.

Fixes sourcegraph/security-issues#55.

email: add verification cool down to prevent abuse

Merge request reports