Prevent registration race condition

This commit is contained in:
calzoneman 2013-11-05 22:39:51 -06:00
parent 33d1075d44
commit 22ba96b9fd
3 changed files with 23 additions and 0 deletions

View file

@ -1,3 +1,9 @@
Tue Nov 05 22:38 2013 CDT
* lib/database.js: Add a check for registrations-in-progress to prevent
duplicate queries by an impatient user
* www/assets/js/account.js: Disable the registration button while the
registration is being processed
Mon Nov 04 16:15 2013 CDT
* lib/xss.js, tests/xss.js: Merge work-in-progress XSS filter
from xss branch

View file

@ -738,6 +738,7 @@ Database.prototype.isUsernameTaken = function (name, callback) {
});
};
var regInProgress = {};
Database.prototype.registerUser = function (name, pw, callback) {
var self = this;
if(typeof callback !== "function")
@ -748,37 +749,50 @@ Database.prototype.registerUser = function (name, pw, callback) {
return;
}
if (regInProgress[name]) {
callback("Registration is already in progress", null);
return;
}
regInProgress[name] = true;
var postRegister = function (err, res) {
if(err) {
delete regInProgress[name];
callback(err, null);
return;
}
self.createLoginSession(name, function (err, hash) {
if(err) {
delete regInProgress[name];
// Don't confuse people into thinking the registration
// failed when it was the session that failed
callback(null, "");
return;
}
delete regInProgress[name];
callback(null, hash);
});
};
self.isUsernameTaken(name, function (err, taken) {
if(err) {
delete regInProgress[name];
callback(err, null);
return;
}
if(taken) {
delete regInProgress[name];
callback("Username already taken", null);
return;
}
bcrypt.hash(pw, 10, function (err, hash) {
if(err) {
delete regInProgress[name];
callback(err, null);
return;
}

View file

@ -161,6 +161,8 @@ $("#registerbtn").click(function() {
return;
}
$("#registerbtn").attr("disabled", true);
// Input valid, try registering
var data = {
name: name,
@ -168,6 +170,7 @@ $("#registerbtn").click(function() {
};
postJSON(WEB_URL + "/api/register?callback=?", data, function (data) {
$("#registerbtn").attr("disabled", false);
if(data.success) {
uname = name;
session = data.session;