diff --git a/internal/api/external.go b/internal/api/external.go index bd880221b..752a10239 100644 --- a/internal/api/external.go +++ b/internal/api/external.go @@ -384,7 +384,7 @@ func (a *API) createAccountFromExternalIdentity(tx *storage.Connection, r *http. if decision.CandidateEmail.Email != "" { referrer := utilities.GetReferrer(r, config) externalURL := getExternalHost(ctx) - if terr = a.sendConfirmation(tx, user, config.SMTP.MaxFrequency, referrer, externalURL, config.Mailer.OtpLength, models.ImplicitFlow); terr != nil { + if terr = a.sendConfirmation(tx, user, referrer, externalURL, models.ImplicitFlow); terr != nil { if errors.Is(terr, MaxFrequencyLimitError) { return nil, tooManyRequestsError(ErrorCodeOverEmailSendRateLimit, "For security purposes, you can only request this once every minute") } diff --git a/internal/api/identity.go b/internal/api/identity.go index f00b77f75..104cda579 100644 --- a/internal/api/identity.go +++ b/internal/api/identity.go @@ -134,7 +134,7 @@ func (a *API) linkIdentityToUser(r *http.Request, ctx context.Context, tx *stora if !userData.Metadata.EmailVerified { referrer := utilities.GetReferrer(r, a.config) externalURL := getExternalHost(ctx) - if terr := a.sendConfirmation(tx, targetUser, a.config.SMTP.MaxFrequency, referrer, externalURL, a.config.Mailer.OtpLength, models.ImplicitFlow); terr != nil { + if terr := a.sendConfirmation(tx, targetUser, referrer, externalURL, models.ImplicitFlow); terr != nil { if errors.Is(terr, MaxFrequencyLimitError) { return nil, tooManyRequestsError(ErrorCodeOverSMSSendRateLimit, "For security purposes, you can only request this once every minute") } diff --git a/internal/api/invite.go b/internal/api/invite.go index d1ee6dab9..3438dd28d 100644 --- a/internal/api/invite.go +++ b/internal/api/invite.go @@ -83,7 +83,7 @@ func (a *API) Invite(w http.ResponseWriter, r *http.Request) error { referrer := utilities.GetReferrer(r, config) externalURL := getExternalHost(ctx) - if err := a.sendInvite(tx, user, referrer, externalURL, config.Mailer.OtpLength); err != nil { + if err := a.sendInvite(tx, user, referrer, externalURL); err != nil { return internalServerError("Error inviting user").WithInternalError(err) } return nil diff --git a/internal/api/magic_link.go b/internal/api/magic_link.go index 68c34fedc..70e4f38a2 100644 --- a/internal/api/magic_link.go +++ b/internal/api/magic_link.go @@ -141,7 +141,7 @@ func (a *API) MagicLink(w http.ResponseWriter, r *http.Request) error { } referrer := utilities.GetReferrer(r, config) externalURL := getExternalHost(ctx) - return a.sendMagicLink(tx, user, config.SMTP.MaxFrequency, referrer, externalURL, config.Mailer.OtpLength, flowType) + return a.sendMagicLink(tx, user, referrer, externalURL, flowType) }) if err != nil { if errors.Is(err, MaxFrequencyLimitError) { diff --git a/internal/api/mail.go b/internal/api/mail.go index 91de1332d..1b1d162f6 100644 --- a/internal/api/mail.go +++ b/internal/api/mail.go @@ -11,7 +11,6 @@ import ( "github.com/pkg/errors" "github.com/sethvargo/go-password/password" "github.com/supabase/auth/internal/api/provider" - "github.com/supabase/auth/internal/conf" "github.com/supabase/auth/internal/crypto" "github.com/supabase/auth/internal/models" "github.com/supabase/auth/internal/storage" @@ -262,8 +261,11 @@ func (a *API) adminGenerateLink(w http.ResponseWriter, r *http.Request) error { return sendJSON(w, http.StatusOK, resp) } -func (a *API) sendConfirmation(tx *storage.Connection, u *models.User, maxFrequency time.Duration, referrerURL string, externalURL *url.URL, otpLength int, flowType models.FlowType) error { +func (a *API) sendConfirmation(tx *storage.Connection, u *models.User, referrerURL string, externalURL *url.URL, flowType models.FlowType) error { mailer := a.Mailer() + config := a.config + otpLength := config.Mailer.OtpLength + maxFrequency := config.SMTP.MaxFrequency var err error if u.ConfirmationSentAt != nil && !u.ConfirmationSentAt.Add(maxFrequency).Before(time.Now()) { return MaxFrequencyLimitError @@ -290,8 +292,10 @@ func (a *API) sendConfirmation(tx *storage.Connection, u *models.User, maxFreque return nil } -func (a *API) sendInvite(tx *storage.Connection, u *models.User, referrerURL string, externalURL *url.URL, otpLength int) error { +func (a *API) sendInvite(tx *storage.Connection, u *models.User, referrerURL string, externalURL *url.URL) error { mailer := a.Mailer() + config := a.config + otpLength := config.Mailer.OtpLength var err error oldToken := u.ConfirmationToken otp, err := crypto.GenerateOtp(otpLength) @@ -315,7 +319,10 @@ func (a *API) sendInvite(tx *storage.Connection, u *models.User, referrerURL str return nil } -func (a *API) sendPasswordRecovery(tx *storage.Connection, u *models.User, maxFrequency time.Duration, referrerURL string, externalURL *url.URL, otpLength int, flowType models.FlowType) error { +func (a *API) sendPasswordRecovery(tx *storage.Connection, u *models.User, referrerURL string, externalURL *url.URL, flowType models.FlowType) error { + config := a.config + maxFrequency := config.SMTP.MaxFrequency + otpLength := config.Mailer.OtpLength mailer := a.Mailer() var err error if u.RecoverySentAt != nil && !u.RecoverySentAt.Add(maxFrequency).Before(time.Now()) { @@ -344,7 +351,10 @@ func (a *API) sendPasswordRecovery(tx *storage.Connection, u *models.User, maxFr return nil } -func (a *API) sendReauthenticationOtp(tx *storage.Connection, u *models.User, maxFrequency time.Duration, otpLength int) error { +func (a *API) sendReauthenticationOtp(tx *storage.Connection, u *models.User) error { + config := a.config + maxFrequency := config.SMTP.MaxFrequency + otpLength := config.Mailer.OtpLength mailer := a.Mailer() var err error if u.ReauthenticationSentAt != nil && !u.ReauthenticationSentAt.Add(maxFrequency).Before(time.Now()) { @@ -372,8 +382,11 @@ func (a *API) sendReauthenticationOtp(tx *storage.Connection, u *models.User, ma return nil } -func (a *API) sendMagicLink(tx *storage.Connection, u *models.User, maxFrequency time.Duration, referrerURL string, externalURL *url.URL, otpLength int, flowType models.FlowType) error { +func (a *API) sendMagicLink(tx *storage.Connection, u *models.User, referrerURL string, externalURL *url.URL, flowType models.FlowType) error { mailer := a.Mailer() + config := a.config + otpLength := config.Mailer.OtpLength + maxFrequency := config.SMTP.MaxFrequency var err error // since Magic Link is just a recovery with a different template and behaviour // around new users we will reuse the recovery db timer to prevent potential abuse @@ -404,7 +417,9 @@ func (a *API) sendMagicLink(tx *storage.Connection, u *models.User, maxFrequency } // sendEmailChange sends out an email change token to the new email. -func (a *API) sendEmailChange(tx *storage.Connection, config *conf.GlobalConfiguration, u *models.User, email, referrerURL string, externalURL *url.URL, otpLength int, flowType models.FlowType) error { +func (a *API) sendEmailChange(tx *storage.Connection, u *models.User, email, referrerURL string, externalURL *url.URL, flowType models.FlowType) error { + config := a.config + otpLength := config.Mailer.OtpLength var err error mailer := a.Mailer() if u.EmailChangeSentAt != nil && !u.EmailChangeSentAt.Add(config.SMTP.MaxFrequency).Before(time.Now()) { diff --git a/internal/api/reauthenticate.go b/internal/api/reauthenticate.go index 8c158e7c5..9e046c635 100644 --- a/internal/api/reauthenticate.go +++ b/internal/api/reauthenticate.go @@ -42,7 +42,7 @@ func (a *API) Reauthenticate(w http.ResponseWriter, r *http.Request) error { return terr } if email != "" { - return a.sendReauthenticationOtp(tx, user, config.SMTP.MaxFrequency, config.Mailer.OtpLength) + return a.sendReauthenticationOtp(tx, user) } else if phone != "" { smsProvider, terr := sms_provider.GetSmsProvider(*config) if terr != nil { diff --git a/internal/api/recover.go b/internal/api/recover.go index 75493b59d..b4cc6c803 100644 --- a/internal/api/recover.go +++ b/internal/api/recover.go @@ -68,7 +68,7 @@ func (a *API) Recover(w http.ResponseWriter, r *http.Request) error { } referrer := utilities.GetReferrer(r, config) externalURL := getExternalHost(ctx) - return a.sendPasswordRecovery(tx, user, config.SMTP.MaxFrequency, referrer, externalURL, config.Mailer.OtpLength, flowType) + return a.sendPasswordRecovery(tx, user, referrer, externalURL, flowType) }) if err != nil { if errors.Is(err, MaxFrequencyLimitError) { diff --git a/internal/api/resend.go b/internal/api/resend.go index cccf4a915..bb78f628e 100644 --- a/internal/api/resend.go +++ b/internal/api/resend.go @@ -124,7 +124,7 @@ func (a *API) Resend(w http.ResponseWriter, r *http.Request) error { return terr } // PKCE not implemented yet - return a.sendConfirmation(tx, user, config.SMTP.MaxFrequency, referrer, externalURL, config.Mailer.OtpLength, models.ImplicitFlow) + return a.sendConfirmation(tx, user, referrer, externalURL, models.ImplicitFlow) case smsVerification: if terr := models.NewAuditLogEntry(r, tx, user, models.UserRecoveryRequestedAction, "", nil); terr != nil { return terr @@ -139,7 +139,7 @@ func (a *API) Resend(w http.ResponseWriter, r *http.Request) error { } messageID = mID case emailChangeVerification: - return a.sendEmailChange(tx, config, user, user.EmailChange, referrer, externalURL, config.Mailer.OtpLength, models.ImplicitFlow) + return a.sendEmailChange(tx, user, user.EmailChange, referrer, externalURL, models.ImplicitFlow) case phoneChangeVerification: smsProvider, terr := sms_provider.GetSmsProvider(*config) if terr != nil { diff --git a/internal/api/signup.go b/internal/api/signup.go index 1af2bfd08..7b8a92373 100644 --- a/internal/api/signup.go +++ b/internal/api/signup.go @@ -247,7 +247,7 @@ func (a *API) Signup(w http.ResponseWriter, r *http.Request) error { } } externalURL := getExternalHost(ctx) - if terr = a.sendConfirmation(tx, user, config.SMTP.MaxFrequency, referrer, externalURL, config.Mailer.OtpLength, flowType); terr != nil { + if terr = a.sendConfirmation(tx, user, referrer, externalURL, flowType); terr != nil { if errors.Is(terr, MaxFrequencyLimitError) { now := time.Now() left := user.ConfirmationSentAt.Add(config.SMTP.MaxFrequency).Sub(now) / time.Second diff --git a/internal/api/user.go b/internal/api/user.go index 07809b62c..62fa86656 100644 --- a/internal/api/user.go +++ b/internal/api/user.go @@ -204,7 +204,7 @@ func (a *API) UserUpdate(w http.ResponseWriter, r *http.Request) error { } externalURL := getExternalHost(ctx) - if terr = a.sendEmailChange(tx, config, user, params.Email, referrer, externalURL, config.Mailer.OtpLength, flowType); terr != nil { + if terr = a.sendEmailChange(tx, user, params.Email, referrer, externalURL, flowType); terr != nil { if errors.Is(terr, MaxFrequencyLimitError) { return tooManyRequestsError(ErrorCodeOverEmailSendRateLimit, "For security purposes, you can only request this once every 60 seconds") }