From 6ffb7efc9bb136d3b65382375cb62ce53169e3cf Mon Sep 17 00:00:00 2001
From: David Baker <dave@matrix.org>
Date: Tue, 11 Oct 2016 18:08:18 +0100
Subject: [PATCH 1/2] Prevent spamming emails by reusing client secret

Generate a client secret in the Signup class (if we don't already
have one) and re-usae it for subsequent attempts to register,
that way the IS can honour the sendAttempt flag and not re-send
the email if we're just retrying and requestToken becomes
idempotent.
---
 src/Signup.js       | 8 ++++++++
 src/SignupStages.js | 6 +++++-
 2 files changed, 13 insertions(+), 1 deletion(-)

diff --git a/src/Signup.js b/src/Signup.js
index 18d338cc32..13cb9b47fd 100644
--- a/src/Signup.js
+++ b/src/Signup.js
@@ -130,6 +130,14 @@ class Register extends Signup {
         this.password = password;
         const client = this._createTemporaryClient();
         this.activeStage = null;
+
+        // If there hasn't been a client secret set by this point,
+        // generate one for this session. It will only be used if
+        // we do email verification, but far simpler to just make
+        // sure we have one.
+        if (!this.params.clientSecret) {
+            this.params.clientSecret = client.generateClientSecret();
+        }
         return this._tryRegister(client);
     }
 
diff --git a/src/SignupStages.js b/src/SignupStages.js
index 2b0d163a08..8ae61f1a7d 100644
--- a/src/SignupStages.js
+++ b/src/SignupStages.js
@@ -158,7 +158,11 @@ class EmailIdentityStage extends Stage {
             return this._completeVerify();
         }
 
-        this.clientSecret = this.client.generateClientSecret();
+        this.clientSecret = this.signupInstance.params.clientSecret;
+        if (!this.clientSecret) {
+            return q.reject(new Error("No client secret specified by Signup class!"));
+        }
+
         var nextLink = this.signupInstance.params.registrationUrl +
                        '?client_secret=' +
                        encodeURIComponent(this.clientSecret) +

From c45b076df9f6042ceeb1a3910cf227654fb79a55 Mon Sep 17 00:00:00 2001
From: David Baker <dave@matrix.org>
Date: Tue, 11 Oct 2016 18:13:26 +0100
Subject: [PATCH 2/2] More commentary

---
 src/Signup.js | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/src/Signup.js b/src/Signup.js
index 13cb9b47fd..e387513c90 100644
--- a/src/Signup.js
+++ b/src/Signup.js
@@ -135,6 +135,10 @@ class Register extends Signup {
         // generate one for this session. It will only be used if
         // we do email verification, but far simpler to just make
         // sure we have one.
+        // We re-use this same secret over multiple calls to register
+        // so that the identity server can honour the sendAttempt
+        // parameter and not re-send email unless we actually want
+        // another mail to be sent.
         if (!this.params.clientSecret) {
             this.params.clientSecret = client.generateClientSecret();
         }