4.36.8

app/app/api/views/alias.py

@@ -31,6 +31,7 @@ from app.models import Alias, Contact, Mailbox, AliasMailbox
 @deprecated
 @api_bp.route("/aliases", methods=["GET", "POST"])
 @require_api_auth
+@limiter.limit("10/minute", key_func=lambda: g.user.id)
 def get_aliases():
     """
     Get aliases
@@ -72,10 +73,8 @@ def get_aliases():
 
 
 @api_bp.route("/v2/aliases", methods=["GET", "POST"])
-@limiter.limit(
-    "5/minute",
-)
 @require_api_auth
+@limiter.limit("50/minute", key_func=lambda: g.user.id)
 def get_aliases_v2():
     """
     Get aliases

app/app/config.py

@@ -179,6 +179,7 @@ AWS_REGION = os.environ.get("AWS_REGION") or "eu-west-3"
 BUCKET = os.environ.get("BUCKET")
 AWS_ACCESS_KEY_ID = os.environ.get("AWS_ACCESS_KEY_ID")
 AWS_SECRET_ACCESS_KEY = os.environ.get("AWS_SECRET_ACCESS_KEY")
+AWS_ENDPOINT_URL = os.environ.get("AWS_ENDPOINT_URL", None)
 
 # Paddle
 try:

app/app/dashboard/views/custom_alias.py

@@ -24,6 +24,7 @@ from app.models import (
     AliasMailbox,
     DomainDeletedAlias,
 )
+from app.utils import CSRFValidationForm
 
 
 @dashboard_bp.route("/custom_alias", methods=["GET", "POST"])
@@ -48,9 +49,13 @@ def custom_alias():
             at_least_a_premium_domain = True
             break
 
+    csrf_form = CSRFValidationForm()
     mailboxes = current_user.mailboxes()
 
     if request.method == "POST":
+        if not csrf_form.validate():
+            flash("Invalid request", "warning")
+            return redirect(request.url)
         alias_prefix = request.form.get("prefix").strip().lower().replace(" ", "")
         signed_alias_suffix = request.form.get("signed-alias-suffix")
         mailbox_ids = request.form.getlist("mailboxes")
@@ -164,4 +169,5 @@ def custom_alias():
         alias_suffixes=alias_suffixes,
         at_least_a_premium_domain=at_least_a_premium_domain,
         mailboxes=mailboxes,
+        csrf_form=csrf_form,
     )

app/app/dashboard/views/index.py

@@ -57,10 +57,7 @@ def get_stats(user: User) -> Stats:
     methods=["POST"],
     exempt_when=lambda: request.form.get("form-name") != "create-random-email",
 )
-@limiter.limit(
+@limiter.limit("10/minute", methods=["GET"], key_func=lambda: current_user.id)
-    "5/minute",
-    methods=["GET"],
-)
 @login_required
 @parallel_limiter.lock(
     name="alias_creation",

app/app/s3.py

@@ -13,17 +13,29 @@ from app.config import (
     LOCAL_FILE_UPLOAD,
     UPLOAD_DIR,
     URL,
+    AWS_ENDPOINT_URL,
 )
-
+from app.log import LOG
-if not LOCAL_FILE_UPLOAD:
-    _session = boto3.Session(
-        aws_access_key_id=AWS_ACCESS_KEY_ID,
-        aws_secret_access_key=AWS_SECRET_ACCESS_KEY,
-        region_name=AWS_REGION,
-    )
 
 
-def upload_from_bytesio(key: str, bs: BytesIO, content_type="string"):
+_s3_client = None
+
+
+def _get_s3client():
+    global _s3_client
+    if _s3_client is None:
+        args = {
+            "aws_access_key_id": AWS_ACCESS_KEY_ID,
+            "aws_secret_access_key": AWS_SECRET_ACCESS_KEY,
+            "region_name": AWS_REGION,
+        }
+        if AWS_ENDPOINT_URL:
+            args["endpoint_url"] = AWS_ENDPOINT_URL
+        _s3_client = boto3.client("s3", **args)
+    return _s3_client
+
+
+def upload_from_bytesio(key: str, bs: BytesIO, content_type="application/octet-stream"):
     bs.seek(0)
 
     if LOCAL_FILE_UPLOAD:
@@ -34,7 +46,8 @@ def upload_from_bytesio(key: str, bs: BytesIO, content_type="string"):
             f.write(bs.read())
 
     else:
-        _session.resource("s3").Bucket(BUCKET).put_object(
+        _get_s3client().put_object(
+            Bucket=BUCKET,
             Key=key,
             Body=bs,
             ContentType=content_type,
@@ -52,7 +65,8 @@ def upload_email_from_bytesio(path: str, bs: BytesIO, filename):
             f.write(bs.read())
 
     else:
-        _session.resource("s3").Bucket(BUCKET).put_object(
+        _get_s3client().put_object(
+            Bucket=BUCKET,
             Key=path,
             Body=bs,
             # Support saving a remote file using Http header
@@ -67,12 +81,9 @@ def download_email(path: str) -> Optional[str]:
         file_path = os.path.join(UPLOAD_DIR, path)
         with open(file_path, "rb") as f:
             return f.read()
-    resp = (
+    resp = _get_s3client().get_object(
-        _session.resource("s3")
+        Bucket=BUCKET,
-        .Bucket(BUCKET)
+        Key=path,
-        .get_object(
-            Key=path,
-        )
     )
     if not resp or "Body" not in resp:
         return None
@@ -88,8 +99,7 @@ def get_url(key: str, expires_in=3600) -> str:
     if LOCAL_FILE_UPLOAD:
         return URL + "/static/upload/" + key
     else:
-        s3_client = _session.client("s3")
+        return _get_s3client().generate_presigned_url(
-        return s3_client.generate_presigned_url(
             ExpiresIn=expires_in,
             ClientMethod="get_object",
             Params={"Bucket": BUCKET, "Key": key},
@@ -100,5 +110,15 @@ def delete(path: str):
     if LOCAL_FILE_UPLOAD:
         os.remove(os.path.join(UPLOAD_DIR, path))
     else:
-        o = _session.resource("s3").Bucket(BUCKET).Object(path)
+        _get_s3client().delete_object(Bucket=BUCKET, Key=path)
-        o.delete()
+
+
+def create_bucket_if_not_exists():
+    s3client = _get_s3client()
+    buckets = s3client.list_buckets()
+    for bucket in buckets["Buckets"]:
+        if bucket["Name"] == BUCKET:
+            LOG.i("Bucket already exists")
+            return
+    s3client.create_bucket(Bucket=BUCKET)
+    LOG.i(f"Bucket {BUCKET} created")

app/templates/dashboard/custom_alias.html

@@ -93,6 +93,7 @@
         </div>
         <div class="row">
           <div class="col p-1">
+            {{ csrf_form.csrf_token }}
             <button type="submit" id="create" class="btn btn-primary mt-1">Create</button>
           </div>
         </div>