From a2e8d27b494bf932e6db0f19ffd019dd1915efc7 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Timoth=C3=A9e=20Jaussoin?=
 <timothee.jaussoin@belledonne-communications.com>
Date: Mon, 11 Sep 2023 09:35:11 +0000
Subject: [PATCH] Fix #121 Only apply throttling to redeemed tokens

---
 .../Api/Account/CreationTokenController.php   |  4 +++-
 .../Feature/ApiAccountCreationTokenTest.php   | 19 +++++++++++++------
 2 files changed, 16 insertions(+), 7 deletions(-)

diff --git a/flexiapi/app/Http/Controllers/Api/Account/CreationTokenController.php b/flexiapi/app/Http/Controllers/Api/Account/CreationTokenController.php
index 92f8850..cee3f22 100644
--- a/flexiapi/app/Http/Controllers/Api/Account/CreationTokenController.php
+++ b/flexiapi/app/Http/Controllers/Api/Account/CreationTokenController.php
@@ -42,13 +42,15 @@ class CreationTokenController extends Controller
         ]);
 
         $last = AccountCreationToken::where('pn_provider', $request->get('pn_provider'))
-            ->where('pn_paparam', $request->get('pn_param'))
+            ->where('pn_param', $request->get('pn_param'))
             ->where('pn_prid', $request->get('pn_prid'))
             ->where('created_at', '>=', Carbon::now()->subMinutes(config('app.account_creation_token_retry_minutes'))->toDateTimeString())
+            ->where('used', true)
             ->latest()
             ->first();
 
         if ($last) {
+            Log::channel('events')->info('API: Token throttled', ['token' => $last->token]);
             abort(429, 'Last token requested too recently');
         }
 
diff --git a/flexiapi/tests/Feature/ApiAccountCreationTokenTest.php b/flexiapi/tests/Feature/ApiAccountCreationTokenTest.php
index f90ca7f..28fd8dd 100644
--- a/flexiapi/tests/Feature/ApiAccountCreationTokenTest.php
+++ b/flexiapi/tests/Feature/ApiAccountCreationTokenTest.php
@@ -64,9 +64,13 @@ class ApiAccountCreationTokenTest extends TestCase
         ])->assertStatus(422);
     }
 
-    public function testExpiration()
+    public function testThrottling()
     {
-        $existing = AccountCreationToken::factory()->create();
+        AccountCreationToken::factory()->create([
+            'pn_provider' => $this->pnProvider,
+            'pn_param' => $this->pnParam,
+            'pn_prid' => $this->pnPrid,
+        ]);
 
         $this->json($this->method, $this->tokenRoute, [
             'pn_provider' => $this->pnProvider,
@@ -74,11 +78,14 @@ class ApiAccountCreationTokenTest extends TestCase
             'pn_prid' => $this->pnPrid,
         ])->assertStatus(503);
 
+        // Redeem all the tokens
+        AccountCreationToken::where('used', false)->update(['used' => true]);
+
         $this->json($this->method, $this->tokenRoute, [
-            'pn_provider' => $existing->pnProvider,
-            'pn_param' => $existing->pnParam,
-            'pn_prid' => $existing->pnPrid,
-        ])->assertStatus(422);
+            'pn_provider' => $this->pnProvider,
+            'pn_param' => $this->pnParam,
+            'pn_prid' => $this->pnPrid,
+        ])->assertStatus(429);
     }
 
     public function testAdminEndpoint()