From 86389a5fb3bb57841938694ecef91f07372d3ec2 Mon Sep 17 00:00:00 2001
From: Moxie Marlinspike <moxie+github@signal.org>
Date: Tue, 13 Mar 2018 17:33:19 -0700
Subject: [PATCH] Don't rate limit null pin submissions

---
 .../controllers/AccountController.java            | 15 ++++++++++-----
 .../tests/controllers/AccountControllerTest.java  |  2 +-
 2 files changed, 11 insertions(+), 6 deletions(-)

diff --git a/src/main/java/org/whispersystems/textsecuregcm/controllers/AccountController.java b/src/main/java/org/whispersystems/textsecuregcm/controllers/AccountController.java
index 21c851026..ccb7546dd 100644
--- a/src/main/java/org/whispersystems/textsecuregcm/controllers/AccountController.java
+++ b/src/main/java/org/whispersystems/textsecuregcm/controllers/AccountController.java
@@ -175,13 +175,18 @@ public class AccountController {
           System.currentTimeMillis() - existingAccount.get().getLastSeen() < TimeUnit.DAYS.toMillis(7))
       {
         rateLimiters.getVerifyLimiter().clear(number);
+
+        long timeRemaining = TimeUnit.DAYS.toMillis(7) - (System.currentTimeMillis() - existingAccount.get().getLastSeen());
+
+        if (accountAttributes.getPin() == null) {
+          throw new WebApplicationException(Response.status(423)
+                                                    .entity(new RegistrationLockFailure(timeRemaining))
+                                                    .build());
+        }
+
         rateLimiters.getPinLimiter().validate(number);
 
-        if (accountAttributes.getPin() == null ||
-            !MessageDigest.isEqual(existingAccount.get().getPin().get().getBytes(), accountAttributes.getPin().getBytes()))
-        {
-          long timeRemaining = TimeUnit.DAYS.toMillis(7) - (System.currentTimeMillis() - existingAccount.get().getLastSeen());
-
+        if (!MessageDigest.isEqual(existingAccount.get().getPin().get().getBytes(), accountAttributes.getPin().getBytes())) {
           throw new WebApplicationException(Response.status(423)
                                                     .entity(new RegistrationLockFailure(timeRemaining))
                                                     .build());
diff --git a/src/test/java/org/whispersystems/textsecuregcm/tests/controllers/AccountControllerTest.java b/src/test/java/org/whispersystems/textsecuregcm/tests/controllers/AccountControllerTest.java
index 0e40c8bd9..fd984002f 100644
--- a/src/test/java/org/whispersystems/textsecuregcm/tests/controllers/AccountControllerTest.java
+++ b/src/test/java/org/whispersystems/textsecuregcm/tests/controllers/AccountControllerTest.java
@@ -213,7 +213,7 @@ public class AccountControllerTest {
 
     RegistrationLockFailure failure = response.readEntity(RegistrationLockFailure.class);
 
-    verify(pinLimiter).validate(eq(SENDER_PIN));
+    verifyNoMoreInteractions(pinLimiter);
   }
 
   @Test