Double submit and race condition in account registration

[martinmo]

Describe the bug

In the account registration, it's possible to submit the registration form multiple times because the submit button remains clickable until the API request returns. However, this request sometimes can take a few seconds (e.g., because accounts in external systems such as GitLab are created, network latency, and so on).

There is no indication for the user that a request is ongoing – because of this, users sometimes submit the same form a second or even a third time.

The server side doesn't handle these quick successive requests well and there are different possible outcomes we have observed:

• Most of the times, the user receives multiple account confirmation mails, but only the activation link in the last sent mail is valid.
• With the "right" timing, some unlucky users receive a confirmation mail even if no account was created because of an GitLab API error (for example, because of Registration (GitLab+Jenkins) : Unmatched GitLab Password Constraints in a failing registration do not produce a conclusive error message #6477 and User Management: GitLab Password Constraints not checked/mentioned in Artemis #6457).
  • Basically, this seems to be a race condition between two parallel requests to /api/register.
  • According to my quick analysis, it happens if the second request finishes the logic in UserService.handleRegisterUserWithSameLoginAsExistingUser() before the first request removes the account because of the GitLab error.
  • In the frontend, the user will get two contradicting error messages in this case.

To Reproduce

1. Go to /account/register.
2. Fill the form with valid data.
3. Click the "Register" multiple times (this might be difficult on a local setup).
4. Check your mailbox and see multiple registration mails.

Expected behavior

• On the UI side, the "Register" button should be immediately disabled after clicking to prevent multiple submits. This also acts as an indicator for the user that some operation is ongoing.
• On the server side, the /api/register endpoint should reject parallel registration requests with the same user data (e.g., login name).

Screenshots

Which version of Artemis are you seeing the problem on?

6.2.1

What browsers are you seeing the problem on?

Firefox

Additional context

We use GitLab and Jenkins.

Relevant log output

No response