AFFiNE Self-hosted: Invite email link can be re-used, potential DoS

Self-hosted: Invite email link can be re-used, potential DoS

Open dennorske opened this issue 9 months ago • 1 comments

What happened?

When a user is invited to the platform, the user who receives the invite can re-use the invite link multiple times. Every time the user uses that link, a new email is sent out to the person who invited him, to inform that the invite was accepted.

Steps to reproduce

Invite a new user
New user rapidly spam-clicks the invite link (opens multiple tabs).
The equivalent amount of emails are sent to the inviter, to inform the user has accepted the invitation.

See the attached screenshot for a sample:

Distribution version

Linux

What browsers are you seeing the problem on if you're using web version?

No response

Are you self-hosting?

[X] Yes

Relevant log output

No response

Anything else?

No response

May 11 '24 23:05 dennorske

Issue Status: 💡 Open

💡 Open

We want to implement the fix or feature in the near future. We can’t promise it will appear in the next public release, but it’s on our short list.

^{_{This is an automatic reply by the bot.}}

May 11 '24 23:05 affine-issue-bot[bot]

AFFiNE AFFiNE copied to clipboard

​Self-hosted: Invite email link can be re-used, potential DoS

What happened?

Distribution version

What browsers are you seeing the problem on if you're using web version?

Are you self-hosting?

Relevant log output

Anything else?

Issue Status: 💡 Open

AFFiNE
AFFiNE copied to clipboard

Self-hosted: Invite email link can be re-used, potential DoS