4.63.0

4.62.0
4.61.1
2025-01-20 12:00:06 +00:00 · 2024-12-20 12:00:08 +00:00 · 2024-11-30 12:00:10 +00:00 · 2024-11-29 12:00:12 +00:00 · 2024-11-18 12:00:06 +00:00 · 2024-11-16 12:00:07 +00:00
73 changed files with 2952 additions and 748 deletions
--- a/app/.github/workflows/main.yml
+++ b/app/.github/workflows/main.yml
@ -1,6 +1,12 @@
-name: Test and lint
+name: SimpleLogin actions
-on: [push, pull_request]
+on:
  push:
    branches:
      - master
    tags:
      - v*
  pull_request:
 jobs:
  lint:
@ -9,35 +15,30 @@ jobs:
      - name: Check out repo
        uses: actions/checkout@v3
-      - name: Install poetry
+      - name: "Install rye"
-        run: pipx install poetry
+        id: setup-rye
-
+        uses: eifinger/setup-rye@v4
      - uses: actions/setup-python@v4
        with:
-          python-version: '3.10'
+          version: '0.43.0'
-          cache: 'poetry'
+          checksum: 'ca702c3d93fd6ec76a1a0efaaa605e10736ee79a0674d241aad1bc0fe26f7d80'
          enable-cache: true
      - name: Install OS dependencies
        if: ${{ matrix.python-version }} == '3.10'
        run: |
          sudo apt update
          sudo apt install -y libre2-dev libpq-dev
      - name: Install dependencies
-        if: steps.cached-poetry-dependencies.outputs.cache-hit != 'true'
+        if: steps.setup-rye.outputs.cache-hit != 'true'
-        run: poetry install --no-interaction
+        run: rye sync --no-lock
      - name: Check formatting & linting
        run: |
-          poetry run pre-commit run --all-files
+          rye run pre-commit run --all-files
  test:
    runs-on: ubuntu-latest
    strategy:
      max-parallel: 4
      matrix:
        python-version: ["3.10"]
    # service containers to run with `postgres-job`
    services:
@ -69,24 +70,23 @@ jobs:
      - name: Check out repo
        uses: actions/checkout@v3
-      - name: Install poetry
+      - name: Install rye
-        run: pipx install poetry
+        id: setup-rye
-
+        uses: eifinger/setup-rye@v4
      - uses: actions/setup-python@v4
        with:
-          python-version: ${{ matrix.python-version }}
+          version: '0.43.0'
-          cache: 'poetry'
+          checksum: 'ca702c3d93fd6ec76a1a0efaaa605e10736ee79a0674d241aad1bc0fe26f7d80'
          enable-cache: true
          cache-prefix: 'rye-cache'
      - name: Install OS dependencies
        if: ${{ matrix.python-version }} == '3.10'
        run: |
          sudo apt update
          sudo apt install -y libre2-dev libpq-dev
      - name: Install dependencies
-        if: steps.cached-poetry-dependencies.outputs.cache-hit != 'true'
+        if: steps.setup-rye.outputs.cache-hit != 'true'
-        run: poetry install --no-interaction
+        run: rye sync --no-lock
      - name: Start Redis v6
        uses: superchargejs/redis-github-action@1.1.0
@ -95,7 +95,8 @@ jobs:
      - name: Run db migration
        run: |
-          CONFIG=tests/test.env poetry run alembic upgrade head
+          rye install alembic
          CONFIG=tests/test.env rye run alembic upgrade head
      - name: Prepare version file
        run: |
@ -104,7 +105,7 @@ jobs:
      - name: Test with pytest
        run: |
-          poetry run pytest
+          rye run pytest
        env:
          GITHUB_ACTIONS_TEST: true
--- a/app/.python-version
+++ b/app/.python-version
@ -0,0 +1 @@
 3.10.16
--- a/app/CONTRIBUTING.md
+++ b/app/CONTRIBUTING.md
@ -20,7 +20,7 @@ SimpleLogin backend consists of 2 main components:
 ## Install dependencies
 The project requires:
- Python 3.10 and poetry to manage dependencies
+- Python 3.10 and rye to manage dependencies
 - Node v10 for front-end.
 - Postgres 13+
@ -28,7 +28,7 @@ First, install all dependencies by running the following command.
 Feel free to use `virtualenv` or similar tools to isolate development environment.
 ```bash
-poetry sync
+rye sync
 ```
 On Mac, sometimes you might need to install some other packages via `brew`:
@ -55,7 +55,7 @@ brew install -s re2 pybind11
 We use pre-commit to run all our linting and static analysis checks. Please run
 ```bash
-poetry run pre-commit install
+rye run pre-commit install
 ```
 To install it in your development environment.
@ -160,25 +160,25 @@ Here are the small sum-ups of the directory structures and their roles:
 The code is formatted using [ruff](https://github.com/astral-sh/ruff), to format the code, simply run
 ```
-poetry run ruff format .
+rye run ruff format .
 ```
 The code is also checked with `flake8`, make sure to run `flake8` before creating the pull request by
 ```bash
-poetry run flake8
+rye run flake8
 ```
 For HTML templates, we use `djlint`. Before creating a pull request, please run
 ```bash
-poetry run djlint --check templates
+rye run djlint --check templates
 ```
 If some files aren't properly formatted, you can format all files with
 ```bash
-poetry run djlint --reformat .
+rye run djlint --reformat .
 ```
 ## Test sending email
@ -236,18 +236,11 @@ There are several ways to setup Python and manage the project dependencies on Ma
 # we haven't managed to make python 3.12 work
 brew install python3.10
-# make sure to update the PATH so python, pip point to Python3
+# Install rye using the official installation script, found on https://rye.astral.sh/guide/installation/
 # for us it can be done by adding "export PATH=/opt/homebrew/opt/python@3.10/libexec/bin:$PATH" to .zprofile
-# Although pipx is the recommended way to install poetry,
+# Install the dependencies
-# install pipx via brew will automatically install python 3.12
+rye sync
 # and poetry will then use python 3.12
 # so we recommend using poetry this way instead
 curl -sSL https://install.python-poetry.org | python3 -
 poetry install
 # activate the virtualenv and you should be good to go!
 source .venv/bin/activate
 ```
--- a/app/Dockerfile
+++ b/app/Dockerfile
@ -4,43 +4,45 @@ WORKDIR /code
 COPY ./static/package*.json /code/static/
 RUN cd /code/static && npm ci
-# Main image
+FROM --platform=linux/amd64 ubuntu:22.04
-FROM python:3.10
+
 ARG RYE_VERSION="0.43.0"
 ARG RYE_HASH="ca702c3d93fd6ec76a1a0efaaa605e10736ee79a0674d241aad1bc0fe26f7d80"
 # Keeps Python from generating .pyc files in the container
-ENV PYTHONDONTWRITEBYTECODE 1
+ENV PYTHONDONTWRITEBYTECODE=1
 # Turns off buffering for easier container logging
-ENV PYTHONUNBUFFERED 1
+ENV PYTHONUNBUFFERED=1
 # Add poetry to PATH
 ENV PATH="${PATH}:/root/.local/bin"
 WORKDIR /code
-# Copy poetry files
+# Copy dependency files
-COPY poetry.lock pyproject.toml ./
+COPY pyproject.toml requirements.lock requirements-dev.lock .python-version ./
-# Install and setup poetry
+# Install deps
-RUN pip install -U pip \
+RUN apt-get update \
-    && apt-get update \
+    && apt-get install -y curl netcat-traditional gcc python3-dev gnupg git libre2-dev build-essential pkg-config cmake ninja-build bash clang \
-    && apt install -y curl netcat-traditional gcc python3-dev gnupg git libre2-dev cmake ninja-build\
+    && curl -sSL "https://github.com/astral-sh/rye/releases/download/${RYE_VERSION}/rye-x86_64-linux.gz" > rye.gz \
-    && curl -sSL https://install.python-poetry.org | python3 - \
+    && echo "${RYE_HASH}  rye.gz" | sha256sum -c - \
-    # Remove curl and netcat from the image
+    && gunzip rye.gz \
-    && apt-get purge -y curl netcat-traditional \
+    && chmod +x rye \
-    # Run poetry
+    && mv rye /usr/bin/rye \
-    && poetry config virtualenvs.create false \
+    && rye toolchain fetch `cat .python-version` \
-    && poetry install  --no-interaction --no-ansi --no-root \
+    && rye sync --no-lock --no-dev \
-    # Clear apt cache \
+    && apt-get autoremove -y \
-    && apt-get purge -y libre2-dev cmake ninja-build\
+    && apt-get purge -y curl netcat-traditional build-essential pkg-config cmake ninja-build python3-dev clang\
    && apt-get autoremove -y \
    && apt-get clean \
    && rm -rf /var/lib/apt/lists/*
 # Copy code
 COPY . .
 # copy npm packages
 COPY --from=npm /code /code
-# copy everything else into /code
+ENV PATH="/code/.venv/bin:$PATH"
 COPY . .
 EXPOSE 7777
 #gunicorn wsgi:app -b 0.0.0.0:7777 -w 2 --timeout 15 --log-level DEBUG
--- a/app/README.md
+++ b/app/README.md
@ -84,7 +84,7 @@ For email gurus, we have chosen 1024 key length instead of 2048 for DNS simplici
 ### DNS
-Please note that DNS changes could take up to 24 hours to propagate. In practice, it's a lot faster though (~1 minute or so in our test). In DNS setup, we usually use domain with a trailing dot (`.`) at the end to to force using absolute domain.
+Please note that DNS changes could take up to 24 hours to propagate. In practice, it's a lot faster though (~1 minute or so in our test). In DNS setup, we usually use domain with a trailing dot (`.`) at the end to force using absolute domain.
 #### MX record
--- a/app/SECURITY.md
+++ b/app/SECURITY.md
@ -7,8 +7,4 @@ If you want be up to date on security patches, make sure your SimpleLogin image
 ## Reporting a Vulnerability
-If you've found a security vulnerability, you can disclose it responsibly by sending a summary to security@simplelogin.io.
+If you want to report a vulnerability, please take a look at our bug bounty program at https://proton.me/security/bug-bounty.
 We will review the potential threat and fix it as fast as we can.
 We are incredibly thankful for people who disclose vulnerabilities, unfortunately we do not have a bounty program in place yet.
--- a/app/app/account_linking.py
+++ b/app/app/account_linking.py
@ -3,12 +3,17 @@ from dataclasses import dataclass
 from enum import Enum
 from typing import Optional
 import arrow
 import sqlalchemy.exc
 from arrow import Arrow
 from newrelic import agent
 from psycopg2.errors import UniqueViolation
 from sqlalchemy import or_
 from app.db import Session
 from app.email_utils import send_welcome_email
 from app.events.event_dispatcher import EventDispatcher
 from app.events.generated.event_pb2 import UserPlanChanged, EventContent
 from app.partner_user_utils import create_partner_user, create_partner_subscription
 from app.utils import sanitize_email, canonicalize_email
 from app.errors import (
@ -31,6 +36,7 @@ from app.utils import random_string
 class SLPlanType(Enum):
    Free = 1
    Premium = 2
    PremiumLifetime = 3
@dataclass
@ -54,8 +60,24 @@ class LinkResult:
    strategy: str
 def send_user_plan_changed_event(partner_user: PartnerUser) -> Optional[int]:
    subscription_end = partner_user.user.get_active_subscription_end(
        include_partner_subscription=False
    )
    end_timestamp = None
    if partner_user.user.lifetime:
        end_timestamp = arrow.get("2038-01-01").timestamp
    elif subscription_end:
        end_timestamp = subscription_end.timestamp
    event = UserPlanChanged(plan_end_time=end_timestamp)
    EventDispatcher.send_event(partner_user.user, EventContent(user_plan_change=event))
    Session.flush()
    return end_timestamp
 def set_plan_for_partner_user(partner_user: PartnerUser, plan: SLPlan):
    sub = PartnerSubscription.get_by(partner_user_id=partner_user.id)
    is_lifetime = plan.type == SLPlanType.PremiumLifetime
    if plan.type == SLPlanType.Free:
        if sub is not None:
            LOG.i(
@ -64,30 +86,37 @@ def set_plan_for_partner_user(partner_user: PartnerUser, plan: SLPlan):
            PartnerSubscription.delete(sub.id)
            agent.record_custom_event("PlanChange", {"plan": "free"})
    else:
        end_time = plan.expiration
        if plan.type == SLPlanType.PremiumLifetime:
            end_time = None
        if sub is None:
            LOG.i(
-                f"Creating partner_subscription [user_id={partner_user.user_id}] [partner_id={partner_user.partner_id}]"
+                f"Creating partner_subscription [user_id={partner_user.user_id}] [partner_id={partner_user.partner_id}] with {end_time} / {is_lifetime}"
            )
            create_partner_subscription(
                partner_user=partner_user,
-                expiration=plan.expiration,
+                expiration=end_time,
                lifetime=is_lifetime,
                msg="Upgraded via partner. User did not have a previous partner subscription",
            )
            agent.record_custom_event("PlanChange", {"plan": "premium", "type": "new"})
        else:
-            if sub.end_at != plan.expiration:
+            if sub.end_at != plan.expiration or sub.lifetime != is_lifetime:
                LOG.i(
                    f"Updating partner_subscription [user_id={partner_user.user_id}] [partner_id={partner_user.partner_id}]"
                )
                agent.record_custom_event(
                    "PlanChange", {"plan": "premium", "type": "extension"}
                )
-                sub.end_at = plan.expiration
+                sub.end_at = plan.expiration if not is_lifetime else None
                sub.lifetime = is_lifetime
                LOG.i(
                    f"Updating partner_subscription [user_id={partner_user.user_id}] [partner_id={partner_user.partner_id}] to {sub.end_at} / {sub.lifetime} "
                )
                emit_user_audit_log(
                    user=partner_user.user,
                    action=UserAuditLogAction.SubscriptionExtended,
                    message="Extended partner subscription",
                )
    Session.flush()
    send_user_plan_changed_event(partner_user)
    Session.commit()
@ -112,6 +141,7 @@ def ensure_partner_user_exists_for_user(
            partner_email=link_request.email,
            external_user_id=link_request.external_user_id,
        )
        Session.commit()
        LOG.i(
            f"Created new partner_user for partner:{partner.id} user:{sl_user.id} external_user_id:{link_request.external_user_id}. PartnerUser.id is {res.id}"
@ -139,15 +169,56 @@ class ClientMergeStrategy(ABC):
 class NewUserStrategy(ClientMergeStrategy):
    def process(self) -> LinkResult:
        # Will create a new SL User with a random password
        canonical_email = canonicalize_email(self.link_request.email)
-        new_user = User.create(
+        try:
-            email=canonical_email,
+            # Will create a new SL User with a random password
-            name=self.link_request.name,
+            new_user = User.create(
-            password=random_string(20),
+                email=canonical_email,
-            activated=True,
+                name=self.link_request.name,
-            from_partner=self.link_request.from_partner,
+                password=random_string(20),
                activated=True,
                from_partner=self.link_request.from_partner,
            )
            self.create_partner_user(new_user)
            Session.commit()
            if not new_user.created_by_partner:
                send_welcome_email(new_user)
            agent.record_custom_event(
                "PartnerUserCreation", {"partner": self.partner.name}
            )
            return LinkResult(
                user=new_user,
                strategy=self.__class__.__name__,
            )
        except (UniqueViolation, sqlalchemy.exc.IntegrityError) as e:
            LOG.debug(f"Got the duplicate user error: {e}")
            return self.create_missing_link(canonical_email)
    def create_missing_link(self, canonical_email: str):
        # If there's a unique key violation due to race conditions try to create only the partner if needed
        partner_user = PartnerUser.get_by(
            external_user_id=self.link_request.external_user_id,
            partner_id=self.partner.id,
        )
        if partner_user is None:
            # Get the user by canonical email and if not by normal email
            user = User.get_by(email=canonical_email) or User.get_by(
                email=self.link_request.email
            )
            if not user:
                raise RuntimeError(
                    "Tried to create only partner on UniqueViolation but cannot find the user"
                )
            partner_user = self.create_partner_user(user)
            Session.commit()
        return LinkResult(
            user=partner_user.user, strategy=ExistingUnlinkedUserStrategy.__name__
        )
    def create_partner_user(self, new_user: User):
        partner_user = create_partner_user(
            user=new_user,
            partner_id=self.partner.id,
@ -161,17 +232,7 @@ class NewUserStrategy(ClientMergeStrategy):
            partner_user,
            self.link_request.plan,
        )
-        Session.commit()
+        return partner_user
        if not new_user.created_by_partner:
            send_welcome_email(new_user)
        agent.record_custom_event("PartnerUserCreation", {"partner": self.partner.name})
        return LinkResult(
            user=new_user,
            strategy=self.__class__.__name__,
        )
 class ExistingUnlinkedUserStrategy(ClientMergeStrategy):
--- a/app/app/admin_model.py
+++ b/app/app/admin_model.py
@ -8,14 +8,18 @@ from flask_admin.form import SecureForm
 from flask_admin.model.template import EndpointLinkRowAction
 from markupsafe import Markup
-from app import models, s3
+from app import models, s3, config
 from flask import redirect, url_for, request, flash, Response
 from flask_admin import expose, AdminIndexView
 from flask_admin.actions import action
 from flask_admin.contrib import sqla
 from flask_login import current_user
 from app.custom_domain_validation import CustomDomainValidation, DomainValidationResult
 from app.db import Session
 from app.dns_utils import get_network_dns_client
 from app.events.event_dispatcher import EventDispatcher
 from app.events.generated.event_pb2 import EventContent, UserPlanChanged
 from app.models import (
    User,
    ManualSubscription,
@ -37,8 +41,10 @@ from app.models import (
    AliasMailbox,
    AliasAuditLog,
    UserAuditLog,
    CustomDomain,
 )
 from app.newsletter_utils import send_newsletter_to_user, send_newsletter_to_address
 from app.user_audit_log_utils import emit_user_audit_log, UserAuditLogAction
 def _admin_action_formatter(view, context, model, name):
@ -351,17 +357,42 @@ def manual_upgrade(way: str, ids: [int], is_giveaway: bool):
                manual_sub.end_at = manual_sub.end_at.shift(years=1)
            else:
                manual_sub.end_at = arrow.now().shift(years=1, days=1)
            emit_user_audit_log(
                user=user,
                action=UserAuditLogAction.Upgrade,
                message=f"Admin {current_user.email} extended manual subscription to user {user.email}",
            )
            EventDispatcher.send_event(
                user=user,
                content=EventContent(
                    user_plan_change=UserPlanChanged(
                        plan_end_time=manual_sub.end_at.timestamp
                    )
                ),
            )
            flash(f"Subscription extended to {manual_sub.end_at.humanize()}", "success")
-            continue
+        else:
            emit_user_audit_log(
                user=user,
                action=UserAuditLogAction.Upgrade,
                message=f"Admin {current_user.email} created manual subscription to user {user.email}",
            )
            manual_sub = ManualSubscription.create(
                user_id=user.id,
                end_at=arrow.now().shift(years=1, days=1),
                comment=way,
                is_giveaway=is_giveaway,
            )
            EventDispatcher.send_event(
                user=user,
                content=EventContent(
                    user_plan_change=UserPlanChanged(
                        plan_end_time=manual_sub.end_at.timestamp
                    )
                ),
            )
-        ManualSubscription.create(
+            flash(f"New {way} manual subscription for {user} is created", "success")
            user_id=user.id,
            end_at=arrow.now().shift(years=1, days=1),
            comment=way,
            is_giveaway=is_giveaway,
        )
        flash(f"New {way} manual subscription for {user} is created", "success")
    Session.commit()
@ -453,14 +484,7 @@ class ManualSubscriptionAdmin(SLModelView):
        "Extend 1 year more?",
    )
    def extend_1y(self, ids):
-        for ms in ManualSubscription.filter(ManualSubscription.id.in_(ids)):
+        self.__extend_manual_subscription(ids, msg="1 year", years=1)
            ms.end_at = ms.end_at.shift(years=1)
            flash(f"Extend subscription for 1 year for {ms.user}", "success")
            AdminAuditLog.extend_subscription(
                current_user.id, ms.user.id, ms.end_at, "1 year"
            )
        Session.commit()
    @action(
        "extend_1m",
@ -468,11 +492,26 @@ class ManualSubscriptionAdmin(SLModelView):
        "Extend 1 month more?",
    )
    def extend_1m(self, ids):
        self.__extend_manual_subscription(ids, msg="1 month", months=1)
    def __extend_manual_subscription(self, ids: List[int], msg: str, **kwargs):
        for ms in ManualSubscription.filter(ManualSubscription.id.in_(ids)):
-            ms.end_at = ms.end_at.shift(months=1)
+            sub: ManualSubscription = ms
-            flash(f"Extend subscription for 1 month for {ms.user}", "success")
+            sub.end_at = sub.end_at.shift(**kwargs)
            flash(f"Extend subscription for {msg} for {sub.user}", "success")
            emit_user_audit_log(
                user=sub.user,
                action=UserAuditLogAction.Upgrade,
                message=f"Admin {current_user.email} extended manual subscription for {msg} for {sub.user}",
            )
            AdminAuditLog.extend_subscription(
-                current_user.id, ms.user.id, ms.end_at, "1 month"
+                current_user.id, sub.user.id, sub.end_at, msg
            )
            EventDispatcher.send_event(
                user=sub.user,
                content=EventContent(
                    user_plan_change=UserPlanChanged(plan_end_time=sub.end_at.timestamp)
                ),
            )
        Session.commit()
@ -737,21 +776,22 @@ class InvalidMailboxDomainAdmin(SLModelView):
 class EmailSearchResult:
-    no_match: bool = True
+    def __init__(self):
-    alias: Optional[Alias] = None
+        self.no_match: bool = True
-    alias_audit_log: Optional[List[AliasAuditLog]] = None
+        self.alias: Optional[Alias] = None
-    mailbox: List[Mailbox] = []
+        self.alias_audit_log: Optional[List[AliasAuditLog]] = None
-    mailbox_count: int = 0
+        self.mailbox: List[Mailbox] = []
-    deleted_alias: Optional[DeletedAlias] = None
+        self.mailbox_count: int = 0
-    deleted_alias_audit_log: Optional[List[AliasAuditLog]] = None
+        self.deleted_alias: Optional[DeletedAlias] = None
-    domain_deleted_alias: Optional[DomainDeletedAlias] = None
+        self.deleted_alias_audit_log: Optional[List[AliasAuditLog]] = None
-    domain_deleted_alias_audit_log: Optional[List[AliasAuditLog]] = None
+        self.domain_deleted_alias: Optional[DomainDeletedAlias] = None
-    user: Optional[User] = None
+        self.domain_deleted_alias_audit_log: Optional[List[AliasAuditLog]] = None
-    user_audit_log: Optional[List[UserAuditLog]] = None
+        self.user: Optional[User] = None
-    query: str
+        self.user_audit_log: Optional[List[UserAuditLog]] = None
        self.query: str
    @staticmethod
-    def from_email(email: str) -> EmailSearchResult:
+    def from_request_email(email: str) -> EmailSearchResult:
        output = EmailSearchResult()
        output.query = email
        alias = Alias.get_by(email=email)
@ -763,7 +803,11 @@ class EmailSearchResult:
                .all()
            )
            output.no_match = False
-        user = User.get_by(email=email)
+        try:
            user_id = int(email)
            user = User.get(user_id)
        except ValueError:
            user = User.get_by(email=email)
        if user:
            output.user = user
            output.user_audit_log = (
@ -872,7 +916,7 @@ class EmailSearchAdmin(BaseView):
        email = request.args.get("email")
        if email is not None and len(email) > 0:
            email = email.strip()
-            search = EmailSearchResult.from_email(email)
+            search = EmailSearchResult.from_request_email(email)
        return self.render(
            "admin/email_search.html",
@ -880,3 +924,106 @@ class EmailSearchAdmin(BaseView):
            data=search,
            helper=EmailSearchHelpers,
        )
 class CustomDomainWithValidationData:
    def __init__(self, domain: CustomDomain):
        self.domain: CustomDomain = domain
        self.ownership_expected: Optional[str] = None
        self.ownership_validation: Optional[DomainValidationResult] = None
        self.mx_expected: Optional[str] = None
        self.mx_validation: Optional[DomainValidationResult] = None
        self.spf_expected: Optional[str] = None
        self.spf_validation: Optional[DomainValidationResult] = None
        self.dkim_expected: {str: str} = {}
        self.dkim_validation: {str: str} = {}
 class CustomDomainSearchResult:
    def __init__(self):
        self.no_match: bool = False
        self.user: Optional[User] = None
        self.domains: list[CustomDomainWithValidationData] = []
    @staticmethod
    def from_user(user: Optional[User]) -> CustomDomainSearchResult:
        out = CustomDomainSearchResult()
        if user is None:
            out.no_match = True
            return out
        out.user = user
        dns_client = get_network_dns_client()
        validator = CustomDomainValidation(
            dkim_domain=config.EMAIL_DOMAIN,
            partner_domains=config.PARTNER_DNS_CUSTOM_DOMAINS,
            partner_domains_validation_prefixes=config.PARTNER_CUSTOM_DOMAIN_VALIDATION_PREFIXES,
            dns_client=dns_client,
        )
        for custom_domain in user.custom_domains:
            validation_data = CustomDomainWithValidationData(custom_domain)
            if not custom_domain.ownership_verified:
                validation_data.ownership_expected = (
                    validator.get_ownership_verification_record(custom_domain)
                )
                validation_data.ownership_validation = (
                    validator.validate_domain_ownership(custom_domain)
                )
            if not custom_domain.verified:
                validation_data.mx_expected = validator.get_expected_mx_records(
                    custom_domain
                )
                validation_data.mx_validation = validator.validate_mx_records(
                    custom_domain
                )
            if not custom_domain.spf_verified:
                validation_data.spf_expected = validator.get_expected_spf_record(
                    custom_domain
                )
                validation_data.spf_validation = validator.validate_spf_records(
                    custom_domain
                )
            if not custom_domain.dkim_verified:
                validation_data.dkim_expected = validator.get_dkim_records(
                    custom_domain
                )
                validation_data.dkim_validation = validator.validate_dkim_records(
                    custom_domain
                )
            out.domains.append(validation_data)
            print(validation_data.dkim_expected, validation_data.dkim_validation)
        return out
 class CustomDomainSearchAdmin(BaseView):
    def is_accessible(self):
        return current_user.is_authenticated and current_user.is_admin
    def inaccessible_callback(self, name, **kwargs):
        # redirect to login page if user doesn't have access
        flash("You don't have access to the admin page", "error")
        return redirect(url_for("dashboard.index", next=request.url))
    @expose("/", methods=["GET", "POST"])
    def index(self):
        query = request.args.get("user")
        if query is None:
            search = CustomDomainSearchResult()
        else:
            try:
                user_id = int(query)
                user = User.get_by(id=user_id)
            except ValueError:
                user = User.get_by(email=query)
                if user is None:
                    cd = CustomDomain.get_by(domain=query)
                    if cd is not None:
                        user = cd.user
            search = CustomDomainSearchResult.from_user(user)
            print("NEW", search.domains)
        return self.render(
            "admin/custom_domain_search.html",
            data=search,
            query=query,
        )
--- a/app/app/alias_suffix.py
+++ b/app/app/alias_suffix.py
@ -58,7 +58,7 @@ def verify_prefix_suffix(
    # alias_domain must be either one of user custom domains or built-in domains
    if alias_domain not in user.available_alias_domains(alias_options=alias_options):
-        LOG.e("wrong alias suffix %s, user %s", alias_suffix, user)
+        LOG.i("wrong alias suffix %s, user %s", alias_suffix, user)
        return False
    # SimpleLogin domain case:
@ -75,17 +75,17 @@ def verify_prefix_suffix(
        and not config.DISABLE_ALIAS_SUFFIX
    ):
        if not alias_domain_prefix.startswith("."):
-            LOG.e("User %s submits a wrong alias suffix %s", user, alias_suffix)
+            LOG.i("User %s submits a wrong alias suffix %s", user, alias_suffix)
            return False
    else:
        if alias_domain not in user_custom_domains:
            if not config.DISABLE_ALIAS_SUFFIX:
-                LOG.e("wrong alias suffix %s, user %s", alias_suffix, user)
+                LOG.i("wrong alias suffix %s, user %s", alias_suffix, user)
                return False
            if alias_domain not in available_sl_domains:
-                LOG.e("wrong alias suffix %s, user %s", alias_suffix, user)
+                LOG.i("wrong alias suffix %s, user %s", alias_suffix, user)
                return False
    return True
--- a/app/app/api/views/alias.py
+++ b/app/app/api/views/alias.py
@ -299,7 +299,10 @@ def update_alias(alias_id):
        changed = True
    if "mailbox_ids" in data:
-        mailbox_ids = [int(m_id) for m_id in data.get("mailbox_ids")]
+        try:
            mailbox_ids = [int(m_id) for m_id in data.get("mailbox_ids")]
        except ValueError:
            return jsonify(error="Invalid mailbox_id"), 400
        err = set_mailboxes_for_alias(
            user_id=user.id, alias=alias, mailbox_ids=mailbox_ids
        )
@ -419,9 +422,8 @@ def create_contact_route(alias_id):
    if not data:
        return jsonify(error="request body cannot be empty"), 400
-    alias: Alias = Alias.get(alias_id)
+    alias: Optional[Alias] = Alias.get_by(id=alias_id, user_id=g.user.id)
-
+    if not alias:
    if alias.user_id != g.user.id:
        return jsonify(error="Forbidden"), 403
    contact_address = data.get("contact")
--- a/app/app/api/views/mailbox.py
+++ b/app/app/api/views/mailbox.py
@ -38,7 +38,11 @@ def create_mailbox():
        the new mailbox dict
    """
    user = g.user
-    mailbox_email = sanitize_email(request.get_json().get("email"))
+    email = request.get_json().get("email")
    if not email:
        return jsonify(error="Invalid email"), 400
    mailbox_email = sanitize_email(email)
    try:
        new_mailbox = mailbox_utils.create_mailbox(user, mailbox_email).mailbox
--- a/app/app/api/views/new_custom_alias.py
+++ b/app/app/api/views/new_custom_alias.py
@ -1,3 +1,4 @@
 from email_validator import EmailNotValidError
 from flask import g
 from flask import jsonify, request
@ -93,12 +94,15 @@ def new_custom_alias_v2():
            400,
        )
-    alias = Alias.create(
+    try:
-        user_id=user.id,
+        alias = Alias.create(
-        email=full_alias,
+            user_id=user.id,
-        mailbox_id=user.default_mailbox_id,
+            email=full_alias,
-        note=note,
+            mailbox_id=user.default_mailbox_id,
-    )
+            note=note,
        )
    except EmailNotValidError:
        return jsonify(error="Email is not valid"), 400
    Session.commit()
@ -153,8 +157,17 @@ def new_custom_alias_v3():
    if not isinstance(data, dict):
        return jsonify(error="request body does not follow the required format"), 400
-    alias_prefix = data.get("alias_prefix", "").strip().lower().replace(" ", "")
+    alias_prefix_data = data.get("alias_prefix", "") or ""
    if not isinstance(alias_prefix_data, str):
        return jsonify(error="request body does not follow the required format"), 400
    alias_prefix = alias_prefix_data.strip().lower().replace(" ", "")
    signed_suffix = data.get("signed_suffix", "") or ""
    if not isinstance(signed_suffix, str):
        return jsonify(error="request body does not follow the required format"), 400
    signed_suffix = signed_suffix.strip()
    mailbox_ids = data.get("mailbox_ids")
--- a/app/app/auth/views/login.py
+++ b/app/app/auth/views/login.py
@ -10,6 +10,7 @@ from app.events.auth_event import LoginEvent
 from app.extensions import limiter
 from app.log import LOG
 from app.models import User
 from app.pw_models import PasswordOracle
 from app.utils import sanitize_email, sanitize_next_url, canonicalize_email
@ -43,6 +44,13 @@ def login():
        user = User.get_by(email=email) or User.get_by(email=canonical_email)
        if not user or not user.check_password(form.password.data):
            if not user:
                # Do the hash to avoid timing attacks nevertheless
                dummy_pw = PasswordOracle()
                dummy_pw.password = (
                    "$2b$12$ZWqpL73h4rGNfLkJohAFAu0isqSw/bX9p/tzpbWRz/To5FAftaW8u"
                )
                dummy_pw.check_password(form.password.data)
            # Trigger rate limiter
            g.deduct_limit = True
            form.password.data = None
--- a/app/app/config.py
+++ b/app/app/config.py
@ -309,6 +309,7 @@ JOB_DELETE_DOMAIN = "delete-domain"
 JOB_SEND_USER_REPORT = "send-user-report"
 JOB_SEND_PROTON_WELCOME_1 = "proton-welcome-1"
 JOB_SEND_ALIAS_CREATION_EVENTS = "send-alias-creation-events"
 JOB_SEND_EVENT_TO_WEBHOOK = "send-event-to-webhook"
 # for pagination
 PAGE_LIMIT = 20
--- a/app/app/contact_utils.py
+++ b/app/app/contact_utils.py
@ -16,6 +16,7 @@ from app.utils import sanitize_email
 class ContactCreateError(Enum):
    InvalidEmail = "Invalid email"
    NotAllowed = "Your plan does not allow to create contacts"
    Unknown = "Unknown error when trying to create contact"
@dataclass
@ -87,8 +88,10 @@ def create_contact(
        return __update_contact_if_needed(contact, name, mail_from)
    # Create the contact
    reply_email = generate_reply_email(email, alias)
    alias_id = alias.id
    try:
        flags = Contact.FLAG_PARTNER_CREATED if from_partner else 0
        is_invalid_email = email == ""
        contact = Contact.create(
            user_id=alias.user_id,
            alias_id=alias.id,
@ -98,9 +101,10 @@ def create_contact(
            mail_from=mail_from,
            automatic_created=automatic_created,
            flags=flags,
-            invalid_email=email == "",
+            invalid_email=is_invalid_email,
            commit=True,
        )
        contact_id = contact.id
        if automatic_created:
            trail = ". Automatically created"
        else:
@ -108,17 +112,27 @@ def create_contact(
        emit_alias_audit_log(
            alias=alias,
            action=AliasAuditLogAction.CreateContact,
-            message=f"Created contact {contact.id} ({contact.email}){trail}",
+            message=f"Created contact {contact_id} ({email}){trail}",
            commit=True,
        )
        LOG.d(
-            f"Created contact {contact} for alias {alias} with email {email} invalid_email={contact.invalid_email}"
+            f"Created contact {contact} for alias {alias} with email {email} invalid_email={is_invalid_email}"
        )
        return ContactCreateResult(contact, created=True, error=None)
    except IntegrityError:
        Session.rollback()
        LOG.info(
-            f"Contact with email {email} for alias_id {alias.id} already existed, fetching from DB"
+            f"Contact with email {email} for alias_id {alias_id} already existed, fetching from DB"
        )
-        contact = Contact.get_by(alias_id=alias.id, website_email=email)
+        contact: Optional[Contact] = Contact.get_by(
-        return __update_contact_if_needed(contact, name, mail_from)
+            alias_id=alias_id, website_email=email
-    return ContactCreateResult(contact, created=True, error=None)
+        )
        if contact:
            return __update_contact_if_needed(contact, name, mail_from)
        else:
            LOG.warning(
                f"Could not find contact with email {email} for alias_id {alias_id} and it should exist"
            )
            return ContactCreateResult(
                None, created=False, error=ContactCreateError.Unknown
            )
--- a/app/app/dashboard/views/account_setting.py
+++ b/app/app/dashboard/views/account_setting.py
@ -1,3 +1,5 @@
 import secrets
 import arrow
 from flask import (
    render_template,
@ -163,7 +165,7 @@ def send_reset_password_email(user):
    """
    # the activation code is valid for 1h
    reset_password_code = ResetPasswordCode.create(
-        user_id=user.id, code=random_string(60)
+        user_id=user.id, code=secrets.token_urlsafe(32)
    )
    Session.commit()
--- a/app/app/dashboard/views/alias_contact_manager.py
+++ b/app/app/dashboard/views/alias_contact_manager.py
@ -227,7 +227,10 @@ def alias_contact_manager(alias_id):
    page = 0
    if request.args.get("page"):
-        page = int(request.args.get("page"))
+        try:
            page = int(request.args.get("page"))
        except ValueError:
            pass
    query = request.args.get("query") or ""
--- a/app/app/dashboard/views/index.py
+++ b/app/app/dashboard/views/index.py
@ -71,7 +71,10 @@ def index():
    page = 0
    if request.args.get("page"):
-        page = int(request.args.get("page"))
+        try:
            page = int(request.args.get("page"))
        except ValueError:
            pass
    highlight_alias_id = None
    if request.args.get("highlight_alias_id"):
--- a/app/app/dashboard/views/lifetime_licence.py
+++ b/app/app/dashboard/views/lifetime_licence.py
@ -1,3 +1,4 @@
 import arrow
 from flask import render_template, flash, redirect, url_for
 from flask_login import login_required, current_user
 from flask_wtf import FlaskForm
@ -7,6 +8,8 @@ from app.config import ADMIN_EMAIL
 from app.dashboard.base import dashboard_bp
 from app.db import Session
 from app.email_utils import send_email
 from app.events.event_dispatcher import EventDispatcher
 from app.events.generated.event_pb2 import UserPlanChanged, EventContent
 from app.models import LifetimeCoupon
@ -40,6 +43,14 @@ def lifetime_licence():
            current_user.lifetime_coupon_id = coupon.id
            if coupon.paid:
                current_user.paid_lifetime = True
            EventDispatcher.send_event(
                user=current_user,
                content=EventContent(
                    user_plan_change=UserPlanChanged(
                        plan_end_time=arrow.get("2038-01-01").timestamp
                    )
                ),
            )
            Session.commit()
            # notify admin
--- a/app/app/dashboard/views/mailbox.py
+++ b/app/app/dashboard/views/mailbox.py
@ -121,10 +121,16 @@ def mailbox_route():
@login_required
 def mailbox_verify():
    mailbox_id = request.args.get("mailbox_id")
    if not mailbox_id:
        LOG.i("Missing mailbox_id")
        flash("You followed an invalid link", "error")
        return redirect(url_for("dashboard.mailbox_route"))
    code = request.args.get("code")
    if not code:
        # Old way
        return verify_with_signed_secret(mailbox_id)
    try:
        mailbox = mailbox_utils.verify_mailbox_code(current_user, mailbox_id, code)
    except mailbox_utils.MailboxError as e:
--- a/app/app/dashboard/views/notification.py
+++ b/app/app/dashboard/views/notification.py
@ -43,7 +43,10 @@ def notification_route(notification_id):
 def notifications_route():
    page = 0
    if request.args.get("page"):
-        page = int(request.args.get("page"))
+        try:
            page = int(request.args.get("page"))
        except ValueError:
            pass
    notifications = (
        Notification.filter_by(user_id=current_user.id)
--- a/app/app/dashboard/views/setting.py
+++ b/app/app/dashboard/views/setting.py
@ -174,7 +174,12 @@ def setting():
            flash("Your preference has been updated", "success")
            return redirect(url_for("dashboard.setting"))
        elif request.form.get("form-name") == "random-alias-suffix":
-            scheme = int(request.form.get("random-alias-suffix-generator"))
+            try:
                scheme = int(request.form.get("random-alias-suffix-generator"))
            except ValueError:
                flash("Invalid value", "error")
                return redirect(url_for("dashboard.setting"))
            if AliasSuffixEnum.has_value(scheme):
                current_user.random_alias_suffix = scheme
                Session.commit()
--- a/app/app/email_utils.py
+++ b/app/app/email_utils.py
@ -1345,17 +1345,16 @@ def get_queue_id(msg: Message) -> Optional[str]:
    received_header = str(msg[headers.RECEIVED])
    if not received_header:
-        return
+        return None
    # received_header looks like 'from mail-wr1-x434.google.com (mail-wr1-x434.google.com [IPv6:2a00:1450:4864:20::434])\r\n\t(using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits))\r\n\t(No client certificate requested)\r\n\tby mx1.simplelogin.co (Postfix) with ESMTPS id 4FxQmw1DXdz2vK2\r\n\tfor <jglfdjgld@alias.com>; Fri,  4 Jun 2021 14:55:43 +0000 (UTC)'
-    search_result = re.search("with ESMTPS id [0-9a-zA-Z]{1,}", received_header)
+    search_result = re.search(r"with E?SMTP[AS]? id ([0-9a-zA-Z]{1,})", received_header)
-    if not search_result:
+    if search_result:
-        return
+        return search_result.group(1)
-
+    search_result = re.search("\(Postfix\)\r\n\tid ([a-zA-Z0-9]{1,});", received_header)
-    # the "with ESMTPS id 4FxQmw1DXdz2vK2" part
+    if search_result:
-    with_esmtps = received_header[search_result.start() : search_result.end()]
+        return search_result.group(1)
-
+    return None
    return with_esmtps[len("with ESMTPS id ") :]
 def should_ignore_bounce(mail_from: str) -> bool:
--- a/app/app/jobs/send_event_job.py
+++ b/app/app/jobs/send_event_job.py
@ -0,0 +1,70 @@
 from __future__ import annotations
 import base64
 from typing import Optional
 import arrow
 from app import config
 from app.errors import ProtonPartnerNotSetUp
 from app.events.generated import event_pb2
 from app.events.generated.event_pb2 import EventContent
 from app.models import (
    User,
    Job,
    PartnerUser,
 )
 from app.proton.utils import get_proton_partner
 from events.event_sink import EventSink
 class SendEventToWebhookJob:
    def __init__(self, user: User, event: EventContent):
        self._user: User = user
        self._event: EventContent = event
    def run(self, sink: EventSink) -> bool:
        # Check if the current user has a partner_id
        try:
            proton_partner_id = get_proton_partner().id
        except ProtonPartnerNotSetUp:
            return False
        # It has. Retrieve the information for the PartnerUser
        partner_user = PartnerUser.get_by(
            user_id=self._user.id, partner_id=proton_partner_id
        )
        if partner_user is None:
            return True
        event = event_pb2.Event(
            user_id=self._user.id,
            external_user_id=partner_user.external_user_id,
            partner_id=partner_user.partner_id,
            content=self._event,
        )
        serialized = event.SerializeToString()
        return sink.send_data_to_webhook(serialized)
    @staticmethod
    def create_from_job(job: Job) -> Optional[SendEventToWebhookJob]:
        user = User.get(job.payload["user_id"])
        if not user:
            return None
        event_data = base64.b64decode(job.payload["event"])
        event = event_pb2.EventContent()
        event.ParseFromString(event_data)
        return SendEventToWebhookJob(user=user, event=event)
    def store_job_in_db(self, run_at: Optional[arrow.Arrow]) -> Job:
        stub = self._event.SerializeToString()
        return Job.create(
            name=config.JOB_SEND_EVENT_TO_WEBHOOK,
            payload={
                "user_id": self._user.id,
                "event": base64.b64encode(stub).decode("utf-8"),
            },
            run_at=run_at if run_at is not None else arrow.now(),
            commit=True,
        )
--- a/app/app/mailbox_utils.py
+++ b/app/app/mailbox_utils.py
@ -1,6 +1,5 @@
 import dataclasses
 import secrets
 import random
 from enum import Enum
 from typing import Optional
 import arrow
@ -13,11 +12,13 @@ from app.email_utils import (
    email_can_be_used_as_mailbox,
    send_email,
    render,
    get_email_domain_part,
 )
 from app.email_validation import is_valid_email
 from app.log import LOG
-from app.models import User, Mailbox, Job, MailboxActivation
+from app.models import User, Mailbox, Job, MailboxActivation, Alias
 from app.user_audit_log_utils import emit_user_audit_log, UserAuditLogAction
 from app.utils import canonicalize_email, sanitize_email
@dataclasses.dataclass
@ -37,8 +38,9 @@ class OnlyPaidError(MailboxError):
 class CannotVerifyError(MailboxError):
-    def __init__(self, msg: str):
+    def __init__(self, msg: str, deleted_activation_code: bool = False):
        self.msg = msg
        self.deleted_activation_code = deleted_activation_code
 MAX_ACTIVATION_TRIES = 3
@ -52,6 +54,7 @@ def create_mailbox(
    use_digit_codes: bool = False,
    send_link: bool = True,
 ) -> CreateMailboxOutput:
    email = sanitize_email(email)
    if not user.is_premium():
        LOG.i(
            f"User {user} has tried to create mailbox with {email} but is not premium"
@ -104,7 +107,10 @@ def create_mailbox(
 def delete_mailbox(
-    user: User, mailbox_id: int, transfer_mailbox_id: Optional[int]
+    user: User,
    mailbox_id: int,
    transfer_mailbox_id: Optional[int],
    send_mail: bool = True,
 ) -> Mailbox:
    mailbox = Mailbox.get(mailbox_id)
@ -150,6 +156,7 @@ def delete_mailbox(
            "transfer_mailbox_id": transfer_mailbox_id
            if transfer_mailbox_id and transfer_mailbox_id > 0
            else None,
            "send_mail": send_mail,
        },
        run_at=arrow.now(),
        commit=True,
@ -171,17 +178,17 @@ def verify_mailbox_code(user: User, mailbox_id: int, code: str) -> Mailbox:
            f"User {user} failed to verify mailbox {mailbox_id} because it does not exist"
        )
        raise MailboxError("Invalid mailbox")
    if mailbox.user_id != user.id:
        LOG.i(
            f"User {user} failed to verify mailbox {mailbox_id} because it's owned by another user"
        )
        raise MailboxError("Invalid mailbox")
    if mailbox.verified:
        LOG.i(
            f"User {user} failed to verify mailbox {mailbox_id} because it's already verified"
        )
        clear_activation_codes_for_mailbox(mailbox)
        return mailbox
    if mailbox.user_id != user.id:
        LOG.i(
            f"User {user} failed to verify mailbox {mailbox_id} because it's owned by another user"
        )
        raise MailboxError("Invalid mailbox")
    activation = (
        MailboxActivation.filter(MailboxActivation.mailbox_id == mailbox_id)
@ -196,7 +203,10 @@ def verify_mailbox_code(user: User, mailbox_id: int, code: str) -> Mailbox:
    if activation.tries >= MAX_ACTIVATION_TRIES:
        LOG.i(f"User {user} failed to verify mailbox {mailbox_id} more than 3 times")
        clear_activation_codes_for_mailbox(mailbox)
-        raise CannotVerifyError("Invalid activation code. Please request another code.")
+        raise CannotVerifyError(
            "Invalid activation code. Please request another code.",
            deleted_activation_code=True,
        )
    if activation.created_at < arrow.now().shift(minutes=-15):
        LOG.i(
            f"User {user} failed to verify mailbox {mailbox_id} because code is too old"
@ -229,7 +239,7 @@ def generate_activation_code(
        if config.MAILBOX_VERIFICATION_OVERRIDE_CODE:
            code = config.MAILBOX_VERIFICATION_OVERRIDE_CODE
        else:
-            code = "{:06d}".format(random.randint(1, 999999))
+            code = "{:06d}".format(secrets.randbelow(1000000))[:6]
    else:
        code = secrets.token_urlsafe(16)
    return MailboxActivation.create(
@ -325,3 +335,56 @@ def perform_mailbox_email_change(mailbox_id: int) -> MailboxEmailChangeResult:
            message="Invalid link",
            message_category="error",
        )
 def __get_alias_mailbox_from_email(
    email_address: str, alias: Alias
 ) -> Optional[Mailbox]:
    for mailbox in alias.mailboxes:
        if mailbox.email == email_address:
            return mailbox
        for authorized_address in mailbox.authorized_addresses:
            if authorized_address.email == email_address:
                LOG.d(
                    "Found an authorized address for %s %s %s",
                    alias,
                    mailbox,
                    authorized_address,
                )
                return mailbox
    return None
 def __get_alias_mailbox_from_email_or_canonical_email(
    email_address: str, alias: Alias
 ) -> Optional[Mailbox]:
    # We need to first check for the uncanonicalized version because we still have users in the db with the
    # email non canonicalized. So if it matches the already existing one use that, otherwise check the canonical one
    mbox = __get_alias_mailbox_from_email(email_address, alias)
    if mbox is not None:
        return mbox
    canonical_email = canonicalize_email(email_address)
    if canonical_email != email_address:
        return __get_alias_mailbox_from_email(canonical_email, alias)
    return None
 def get_mailbox_for_reply_phase(
    envelope_mail_from: str, header_mail_from: str, alias
 ) -> Optional[Mailbox]:
    """return the corresponding mailbox given the mail_from and alias
    Usually the mail_from=mailbox.email but it can also be one of the authorized address
    """
    mbox = __get_alias_mailbox_from_email_or_canonical_email(envelope_mail_from, alias)
    if mbox is not None:
        return mbox
    if not header_mail_from:
        return None
    envelope_from_domain = get_email_domain_part(envelope_mail_from)
    header_from_domain = get_email_domain_part(header_mail_from)
    if envelope_from_domain != header_from_domain:
        return None
    # For services that use VERP sending (envelope from has encoded data to account for bounces)
    # if the domain is the same in the header from as the envelope from we can use the header from
    return __get_alias_mailbox_from_email_or_canonical_email(header_mail_from, alias)
--- a/app/app/models.py
+++ b/app/app/models.py
@ -24,6 +24,7 @@ from sqlalchemy import text, desc, CheckConstraint, Index, Column
 from sqlalchemy.dialects.postgresql import TSVECTOR
 from sqlalchemy.ext.declarative import declarative_base
 from sqlalchemy.orm import deferred
 from sqlalchemy.orm.exc import ObjectDeletedError
 from sqlalchemy.sql import and_
 from sqlalchemy_utils import ArrowType
@ -157,6 +158,8 @@ class File(Base, ModelMixin):
    path = sa.Column(sa.String(128), unique=True, nullable=False)
    user_id = sa.Column(sa.ForeignKey("users.id", ondelete="cascade"), nullable=True)
    __table_args__ = (sa.Index("ix_file_user_id", "user_id"),)
    def get_url(self, expires_in=3600):
        return s3.get_url(self.path, expires_in)
@ -318,6 +321,8 @@ class HibpNotifiedAlias(Base, ModelMixin):
    notified_at = sa.Column(ArrowType, default=arrow.utcnow, nullable=False)
    __table_args__ = (sa.Index("ix_hibp_notified_alias_user_id", "user_id"),)
 class Fido(Base, ModelMixin):
    __tablename__ = "fido"
@ -332,11 +337,13 @@ class Fido(Base, ModelMixin):
    name = sa.Column(sa.String(128), nullable=False, unique=False)
    user_id = sa.Column(sa.ForeignKey("users.id", ondelete="cascade"), nullable=True)
    __table_args__ = (sa.Index("ix_fido_user_id", "user_id"),)
 class User(Base, ModelMixin, UserMixin, PasswordOracle):
    __tablename__ = "users"
-    FLAG_DISABLE_CREATE_CONTACTS = 1 << 0
+    FLAG_FREE_DISABLE_CREATE_CONTACTS = 1 << 0
    FLAG_CREATED_FROM_PARTNER = 1 << 1
    FLAG_FREE_OLD_ALIAS_LIMIT = 1 << 2
    FLAG_CREATED_ALIAS_FROM_PARTNER = 1 << 3
@ -543,7 +550,7 @@ class User(Base, ModelMixin, UserMixin, PasswordOracle):
    # bitwise flags. Allow for future expansion
    flags = sa.Column(
        sa.BigInteger,
-        default=FLAG_DISABLE_CREATE_CONTACTS,
+        default=FLAG_FREE_DISABLE_CREATE_CONTACTS,
        server_default="0",
        nullable=False,
    )
@ -564,6 +571,11 @@ class User(Base, ModelMixin, UserMixin, PasswordOracle):
            "ix_users_activated_trial_end_lifetime", activated, trial_end, lifetime
        ),
        sa.Index("ix_users_delete_on", delete_on),
        sa.Index("ix_users_default_mailbox_id", default_mailbox_id),
        sa.Index(
            "ix_users_default_alias_custom_domain_id", default_alias_custom_domain_id
        ),
        sa.Index("ix_users_profile_picture_id", profile_picture_id),
    )
    @property
@ -628,7 +640,7 @@ class User(Base, ModelMixin, UserMixin, PasswordOracle):
        # If the user is created from partner, do not notify
        # nor give a trial
        if from_partner:
-            user.flags = User.FLAG_CREATED_FROM_PARTNER
+            user.flags = user.flags | User.FLAG_CREATED_FROM_PARTNER
            user.notification = False
            user.trial_end = None
            Job.create(
@ -1177,7 +1189,7 @@ class User(Base, ModelMixin, UserMixin, PasswordOracle):
    def can_create_contacts(self) -> bool:
        if self.is_premium():
            return True
-        if self.flags & User.FLAG_DISABLE_CREATE_CONTACTS == 0:
+        if self.flags & User.FLAG_FREE_DISABLE_CREATE_CONTACTS == 0:
            return True
        return not config.DISABLE_CREATE_CONTACTS_FOR_FREE_USERS
@ -1220,6 +1232,8 @@ class ActivationCode(Base, ModelMixin):
    expired = sa.Column(ArrowType, nullable=False, default=_expiration_1h)
    __table_args__ = (sa.Index("ix_activation_code_user_id", "user_id"),)
    def is_expired(self):
        return self.expired < arrow.now()
@ -1236,6 +1250,8 @@ class ResetPasswordCode(Base, ModelMixin):
    expired = sa.Column(ArrowType, nullable=False, default=_expiration_1h)
    __table_args__ = (sa.Index("ix_reset_password_code_user_id", "user_id"),)
    def is_expired(self):
        return self.expired < arrow.now()
@ -1278,6 +1294,8 @@ class MfaBrowser(Base, ModelMixin):
    user = orm.relationship(User)
    __table_args__ = (sa.Index("ix_mfa_browser_user_id", "user_id"),)
    @classmethod
    def create_new(cls, user, token_length=64) -> "MfaBrowser":
        found = False
@ -1336,6 +1354,12 @@ class Client(Base, ModelMixin):
    user = orm.relationship(User)
    referral = orm.relationship("Referral")
    __table_args__ = (
        sa.Index("ix_client_user_id", "user_id"),
        sa.Index("ix_client_icon_id", "icon_id"),
        sa.Index("ix_client_referral_id", "referral_id"),
    )
    def nb_user(self):
        return ClientUser.filter_by(client_id=self.id).count()
@ -1384,6 +1408,8 @@ class RedirectUri(Base, ModelMixin):
    client = orm.relationship(Client, backref="redirect_uris")
    __table_args__ = (sa.Index("ix_redirect_uri_client_id", "client_id"),)
 class AuthorizationCode(Base, ModelMixin):
    __tablename__ = "authorization_code"
@ -1405,6 +1431,11 @@ class AuthorizationCode(Base, ModelMixin):
    expired = sa.Column(ArrowType, nullable=False, default=_expiration_5m)
    __table_args__ = (
        sa.Index("ix_authorization_code_client_id", "client_id"),
        sa.Index("ix_authorization_code_user_id", "user_id"),
    )
    def is_expired(self):
        return self.expired < arrow.now()
@ -1427,6 +1458,11 @@ class OauthToken(Base, ModelMixin):
    expired = sa.Column(ArrowType, nullable=False, default=_expiration_1h)
    __table_args__ = (
        sa.Index("ix_oauth_token_user_id", "user_id"),
        sa.Index("ix_oauth_token_client_id", "client_id"),
    )
    def is_expired(self):
        return self.expired < arrow.now()
@ -1580,6 +1616,7 @@ class Alias(Base, ModelMixin):
            postgresql_ops={"note": "gin_trgm_ops"},
            postgresql_using="gin",
        ),
        Index("ix_alias_original_owner_id", "original_owner_id"),
    )
    user = orm.relationship(User, foreign_keys=[user_id])
@ -1622,7 +1659,7 @@ class Alias(Base, ModelMixin):
        return False
    @staticmethod
-    def get_custom_domain(alias_address) -> Optional["CustomDomain"]:
+    def get_custom_domain(alias_address: str) -> Optional["CustomDomain"]:
        alias_domain = validate_email(
            alias_address, check_deliverability=False, allow_smtputf8=False
        ).domain
@ -1665,6 +1702,11 @@ class Alias(Base, ModelMixin):
            custom_domain = Alias.get_custom_domain(email)
            if custom_domain:
                new_alias.custom_domain_id = custom_domain.id
        else:
            custom_domain = CustomDomain.get(kw["custom_domain_id"])
        # If it comes from a custom domain created from partner. Mark it as created from partner
        if custom_domain is not None and custom_domain.partner_id is not None:
            new_alias.flags = (new_alias.flags or 0) | Alias.FLAG_PARTNER_CREATED
        Session.add(new_alias)
        DailyMetric.get_or_create_today_metric().nb_alias += 1
@ -2068,7 +2110,12 @@ class Contact(Base, ModelMixin):
 class EmailLog(Base, ModelMixin):
    __tablename__ = "email_log"
-    __table_args__ = (Index("ix_email_log_created_at", "created_at"),)
+    __table_args__ = (
        Index("ix_email_log_created_at", "created_at"),
        Index("ix_email_log_mailbox_id", "mailbox_id"),
        Index("ix_email_log_bounced_mailbox_id", "bounced_mailbox_id"),
        Index("ix_email_log_refused_email_id", "refused_email_id"),
    )
    user_id = sa.Column(
        sa.ForeignKey(User.id, ondelete="cascade"), nullable=False, index=True
@ -2344,6 +2391,7 @@ class AliasUsedOn(Base, ModelMixin):
    __table_args__ = (
        sa.UniqueConstraint("alias_id", "hostname", name="uq_alias_used"),
        sa.Index("ix_alias_used_on_user_id", "user_id"),
    )
    alias_id = sa.Column(
@ -2370,6 +2418,11 @@ class ApiKey(Base, ModelMixin):
    user = orm.relationship(User)
    __table_args__ = (
        sa.Index("ix_api_key_code", "code"),
        sa.Index("ix_api_key_user_id", "user_id"),
    )
    @classmethod
    def create(cls, user_id, name=None, **kwargs):
        code = random_string(60)
@ -2528,6 +2581,7 @@ class AutoCreateRule(Base, ModelMixin):
        sa.UniqueConstraint(
            "custom_domain_id", "order", name="uq_auto_create_rule_order"
        ),
        sa.Index("ix_auto_create_rule_custom_domain_id", "custom_domain_id"),
    )
    custom_domain_id = sa.Column(
@ -2571,6 +2625,7 @@ class DomainDeletedAlias(Base, ModelMixin):
    __table_args__ = (
        sa.UniqueConstraint("domain_id", "email", name="uq_domain_trash"),
        sa.Index("ix_domain_deleted_alias_user_id", "user_id"),
    )
    email = sa.Column(sa.String(256), nullable=False)
@ -2631,6 +2686,8 @@ class Coupon(Base, ModelMixin):
    # a coupon can have an expiration
    expires_date = sa.Column(ArrowType, nullable=True)
    __table_args__ = (sa.Index("ix_coupon_used_by_user_id", "used_by_user_id"),)
 class Directory(Base, ModelMixin):
    __tablename__ = "directory"
@ -2645,6 +2702,8 @@ class Directory(Base, ModelMixin):
        "Mailbox", secondary="directory_mailbox", lazy="joined"
    )
    __table_args__ = (sa.Index("ix_directory_user_id", "user_id"),)
    @property
    def mailboxes(self):
        if self._mailboxes:
@ -2746,7 +2805,10 @@ class Mailbox(Base, ModelMixin):
    generic_subject = sa.Column(sa.String(78), nullable=True)
-    __table_args__ = (sa.UniqueConstraint("user_id", "email", name="uq_mailbox_user"),)
+    __table_args__ = (
        sa.UniqueConstraint("user_id", "email", name="uq_mailbox_user"),
        sa.Index("ix_mailbox_pgp_finger_print", "pgp_finger_print"),
    )
    user = orm.relationship(User, foreign_keys=[user_id])
@ -2883,6 +2945,8 @@ class RefusedEmail(Base, ModelMixin):
    # toggle this when email content (stored at full_report_path & path are deleted)
    deleted = sa.Column(sa.Boolean, nullable=False, default=False, server_default="0")
    __table_args__ = (sa.Index("ix_refused_email_user_id", "user_id"),)
    def get_url(self, expires_in=3600):
        if self.path:
            return s3.get_url(self.path, expires_in)
@ -2905,6 +2969,8 @@ class Referral(Base, ModelMixin):
    user = orm.relationship(User, foreign_keys=[user_id], backref="referrals")
    __table_args__ = (sa.Index("ix_referral_user_id", "user_id"),)
    @property
    def nb_user(self) -> int:
        return User.filter_by(referral_id=self.id, activated=True).count()
@ -2944,6 +3010,8 @@ class SentAlert(Base, ModelMixin):
    to_email = sa.Column(sa.String(256), nullable=False)
    alert_type = sa.Column(sa.String(256), nullable=False)
    __table_args__ = (sa.Index("ix_sent_alert_user_id", "user_id"),)
 class AliasMailbox(Base, ModelMixin):
    __tablename__ = "alias_mailbox"
@ -3189,6 +3257,11 @@ class BatchImport(Base, ModelMixin):
    file = orm.relationship(File)
    user = orm.relationship(User)
    __table_args__ = (
        sa.Index("ix_batch_import_file_id", "file_id"),
        sa.Index("ix_batch_import_user_id", "user_id"),
    )
    def nb_alias(self):
        return Alias.filter_by(batch_import_id=self.id).count()
@ -3209,6 +3282,7 @@ class AuthorizedAddress(Base, ModelMixin):
    __table_args__ = (
        sa.UniqueConstraint("mailbox_id", "email", name="uq_authorize_address"),
        sa.Index("ix_authorized_address_user_id", "user_id"),
    )
    mailbox = orm.relationship(Mailbox, backref="authorized_addresses")
@ -3350,6 +3424,8 @@ class Payout(Base, ModelMixin):
    user = orm.relationship(User)
    __table_args__ = (sa.Index("ix_payout_user_id", "user_id"),)
 class IgnoredEmail(Base, ModelMixin):
    """If an email has mail_from and rcpt_to present in this table, discard it by returning 250 status."""
@ -3451,6 +3527,8 @@ class PhoneReservation(Base, ModelMixin):
    start = sa.Column(ArrowType, nullable=False)
    end = sa.Column(ArrowType, nullable=False)
    __table_args__ = (sa.Index("ix_phone_reservation_user_id", "user_id"),)
 class PhoneMessage(Base, ModelMixin):
    __tablename__ = "phone_message"
@ -3625,6 +3703,11 @@ class ProviderComplaint(Base, ModelMixin):
    user = orm.relationship(User, foreign_keys=[user_id])
    refused_email = orm.relationship(RefusedEmail, foreign_keys=[refused_email_id])
    __table_args__ = (
        sa.Index("ix_provider_complaint_user_id", "user_id"),
        sa.Index("ix_provider_complaint_refused_email_id", "refused_email_id"),
    )
 class PartnerApiToken(Base, ModelMixin):
    __tablename__ = "partner_api_token"
@ -3695,7 +3778,8 @@ class PartnerSubscription(Base, ModelMixin):
    )
    # when the partner subscription ends
-    end_at = sa.Column(ArrowType, nullable=False, index=True)
+    end_at = sa.Column(ArrowType, nullable=True, index=True)
    lifetime = sa.Column(sa.Boolean, default=False, nullable=False, server_default="0")
    partner_user = orm.relationship(PartnerUser)
@ -3717,7 +3801,9 @@ class PartnerSubscription(Base, ModelMixin):
        return None
    def is_active(self):
-        return self.end_at > arrow.now().shift(days=-_PARTNER_SUBSCRIPTION_GRACE_DAYS)
+        return self.lifetime or self.end_at > arrow.now().shift(
            days=-_PARTNER_SUBSCRIPTION_GRACE_DAYS
        )
 # endregion
@ -3748,6 +3834,8 @@ class NewsletterUser(Base, ModelMixin):
    user = orm.relationship(User)
    newsletter = orm.relationship(Newsletter)
    __table_args__ = (sa.Index("ix_newsletter_user_user_id", "user_id"),)
 class ApiToCookieToken(Base, ModelMixin):
    __tablename__ = "api_cookie_token"
@ -3758,6 +3846,11 @@ class ApiToCookieToken(Base, ModelMixin):
    user = orm.relationship(User)
    api_key = orm.relationship(ApiKey)
    __table_args__ = (
        sa.Index("ix_api_to_cookie_token_api_key_id", "api_key_id"),
        sa.Index("ix_api_to_cookie_token_user_id", "user_id"),
    )
    @classmethod
    def create(cls, **kwargs):
        code = secrets.token_urlsafe(32)
@ -3781,15 +3874,18 @@ class SyncEvent(Base, ModelMixin):
    )
    def mark_as_taken(self, allow_taken_older_than: Optional[Arrow] = None) -> bool:
-        taken_condition = ["taken_time IS NULL"]
+        try:
-        args = {"taken_time": arrow.now().datetime, "sync_event_id": self.id}
+            taken_condition = ["taken_time IS NULL"]
-        if allow_taken_older_than:
+            args = {"taken_time": arrow.now().datetime, "sync_event_id": self.id}
-            taken_condition.append("taken_time < :taken_older_than")
+            if allow_taken_older_than:
-            args["taken_older_than"] = allow_taken_older_than.datetime
+                taken_condition.append("taken_time < :taken_older_than")
-        sql_taken_condition = "({})".format(" OR ".join(taken_condition))
+                args["taken_older_than"] = allow_taken_older_than.datetime
-        sql = f"UPDATE sync_event SET taken_time = :taken_time WHERE id = :sync_event_id AND {sql_taken_condition}"
+            sql_taken_condition = "({})".format(" OR ".join(taken_condition))
-        res = Session.execute(sql, args)
+            sql = f"UPDATE sync_event SET taken_time = :taken_time WHERE id = :sync_event_id AND {sql_taken_condition}"
-        Session.commit()
+            res = Session.execute(sql, args)
            Session.commit()
        except ObjectDeletedError:
            return False
        return res.rowcount > 0
--- a/app/app/partner_user_utils.py
+++ b/app/app/partner_user_utils.py
@ -1,8 +1,10 @@
 from typing import Optional
 import arrow
 from arrow import Arrow
-from app.models import PartnerUser, PartnerSubscription, User
+from app import config
 from app.models import PartnerUser, PartnerSubscription, User, Job
 from app.user_audit_log_utils import emit_user_audit_log, UserAuditLogAction
@ -15,6 +17,11 @@ def create_partner_user(
        partner_email=partner_email,
        external_user_id=external_user_id,
    )
    Job.create(
        name=config.JOB_SEND_ALIAS_CREATION_EVENTS,
        payload={"user_id": user.id},
        run_at=arrow.now(),
    )
    emit_user_audit_log(
        user=user,
        action=UserAuditLogAction.LinkAccount,
@ -26,12 +33,14 @@ def create_partner_user(
 def create_partner_subscription(
    partner_user: PartnerUser,
-    expiration: Optional[Arrow],
+    expiration: Optional[Arrow] = None,
    lifetime: bool = False,
    msg: Optional[str] = None,
 ) -> PartnerSubscription:
    instance = PartnerSubscription.create(
        partner_user_id=partner_user.id,
        end_at=expiration,
        lifetime=lifetime,
    )
    message = "User upgraded through partner subscription"
--- a/app/app/proton/proton_callback_handler.py
+++ b/app/app/proton/proton_callback_handler.py
@ -2,11 +2,9 @@ from dataclasses import dataclass
 from enum import Enum
 from flask import url_for
 from typing import Optional
 import arrow
 from app import config
 from app.errors import LinkException
-from app.models import User, Partner, Job
+from app.models import User, Partner
 from app.proton.proton_client import ProtonClient, ProtonUser
 from app.account_linking import (
    process_login_case,
@ -43,21 +41,12 @@ class ProtonCallbackHandler:
    def __init__(self, proton_client: ProtonClient):
        self.proton_client = proton_client
    def _initial_alias_sync(self, user: User):
        Job.create(
            name=config.JOB_SEND_ALIAS_CREATION_EVENTS,
            payload={"user_id": user.id},
            run_at=arrow.now(),
            commit=True,
        )
    def handle_login(self, partner: Partner) -> ProtonCallbackResult:
        try:
            user = self.__get_partner_user()
            if user is None:
                return generate_account_not_allowed_to_log_in()
            res = process_login_case(user, partner)
            self._initial_alias_sync(res.user)
            return ProtonCallbackResult(
                redirect_to_login=False,
                flash_message=None,
@ -86,7 +75,6 @@ class ProtonCallbackHandler:
            if user is None:
                return generate_account_not_allowed_to_log_in()
            res = process_link_case(user, current_user, partner)
            self._initial_alias_sync(res.user)
            return ProtonCallbackResult(
                redirect_to_login=False,
                flash_message="Account successfully linked",
--- a/app/app/proton/proton_client.py
+++ b/app/app/proton/proton_client.py
@ -16,6 +16,7 @@ PROTON_ERROR_CODE_HV_NEEDED = 9001
 PLAN_FREE = 1
 PLAN_PREMIUM = 2
 PLAN_PREMIUM_LIFETIME = 3
@dataclass
@ -112,10 +113,13 @@ class HttpProtonClient(ProtonClient):
        if plan_value == PLAN_FREE:
            plan = SLPlan(type=SLPlanType.Free, expiration=None)
        elif plan_value == PLAN_PREMIUM:
            expiration = info.get("PlanExpiration", "1")
            plan = SLPlan(
                type=SLPlanType.Premium,
-                expiration=Arrow.fromtimestamp(info["PlanExpiration"], tzinfo="utc"),
+                expiration=Arrow.fromtimestamp(expiration, tzinfo="utc"),
            )
        elif plan_value == PLAN_PREMIUM_LIFETIME:
            plan = SLPlan(SLPlanType.PremiumLifetime, expiration=None)
        else:
            raise Exception(f"Invalid value for plan: {plan_value}")
--- a/app/app/utils.py
+++ b/app/app/utils.py
@ -1,4 +1,3 @@
 import random
 import re
 import secrets
 import string
@ -32,8 +31,9 @@ def random_words(words: int = 2, numbers: int = 0):
    fields = [secrets.choice(_words) for i in range(words)]
    if numbers > 0:
-        digits = "".join([str(random.randint(0, 9)) for i in range(numbers)])
+        digits = [n for n in range(10)]
-        return "_".join(fields) + digits
+        suffix = "".join([str(secrets.choice(digits)) for i in range(numbers)])
        return "_".join(fields) + suffix
    else:
        return "_".join(fields)
--- a/app/cron.py
+++ b/app/cron.py
@ -286,8 +286,16 @@ def notify_manual_sub_end():
 def poll_apple_subscription():
    """Poll Apple API to update AppleSubscription"""
-    # todo: only near the end of the subscription
+    for apple_sub in (
-    for apple_sub in AppleSubscription.all():
+        AppleSubscription.filter(
            AppleSubscription.expires_date < arrow.now().shift(days=15)
        )
        .enable_eagerloads(False)
        .yield_per(100)
    ):
        if not apple_sub.is_valid():
            # Subscription is not valid anymore and hasn't been renewed
            continue
        if not apple_sub.product_id:
            LOG.d("Ignore %s", apple_sub)
            continue
@ -900,6 +908,24 @@ def check_mailbox_valid_pgp_keys():
 def check_custom_domain():
    # Delete custom domains that haven't been verified in a month
    for custom_domain in (
        CustomDomain.filter(
            CustomDomain.verified == False,  # noqa: E712
            CustomDomain.created_at < arrow.now().shift(months=-1),
        )
        .enable_eagerloads(False)
        .yield_per(100)
    ):
        alias_count = Alias.filter(Alias.custom_domain_id == custom_domain.id).count()
        if alias_count > 0:
            LOG.warn(
                f"Custom Domain {custom_domain} has {alias_count} aliases. Won't delete"
            )
        else:
            LOG.i(f"Deleting unverified old custom domain {custom_domain}")
            CustomDomain.delete(custom_domain.id)
    LOG.d("Check verified domain for DNS issues")
    for custom_domain in CustomDomain.filter_by(verified=True):  # type: CustomDomain
@ -971,7 +997,7 @@ def delete_expired_tokens():
    LOG.d("Delete api to cookie tokens older than %s, nb row %s", max_time, nb_row)
-async def _hibp_check(api_key, queue):
+async def _hibp_check(api_key: str, queue: asyncio.Queue):
    """
    Uses a single API key to check the queue as fast as possible.
@ -990,11 +1016,16 @@ async def _hibp_check(api_key, queue):
        if not alias:
            continue
        user = alias.user
-        if user.disabled or not user.is_paid():
+        if user.disabled or not user.is_premium():
            # Mark it as hibp done to skip it as if it had been checked
            alias.hibp_last_check = arrow.utcnow()
            Session.commit()
            continue
        if alias.flags & Alias.FLAG_PARTNER_CREATED > 0:
            # Mark as hibp done
            alias.hibp_last_check = arrow.utcnow()
            Session.commit()
            continue
        LOG.d("Checking HIBP for %s", alias)
--- a/app/crontab.yml
+++ b/app/crontab.yml
@ -14,15 +14,28 @@ jobs:
  - name: SimpleLogin Custom Domain check
    command: python /code/cron.py -j check_custom_domain
    shell: /bin/bash
-    schedule: "15 2 * * *"
+    schedule: "15 */4 * * *"
    captureStderr: true
    concurrencyPolicy: Forbid
    onFailure:
      retry:
        maximumRetries: 10
        initialDelay: 1
        maximumDelay: 30
        backoffMultiplier: 2
  - name: SimpleLogin HIBP check
    command: python /code/cron.py -j check_hibp
    shell: /bin/bash
-    schedule: "15 3 * * *"
+    schedule: "13 */4 * * *"
    captureStderr: true
    concurrencyPolicy: Forbid
    onFailure:
      retry:
        maximumRetries: 10
        initialDelay: 1
        maximumDelay: 30
        backoffMultiplier: 2
  - name: SimpleLogin Notify HIBP breaches
    command: python /code/cron.py -j notify_hibp
@ -31,6 +44,7 @@ jobs:
    captureStderr: true
    concurrencyPolicy: Forbid
  - name: SimpleLogin Delete Logs
    command: python /code/cron.py -j delete_logs
    shell: /bin/bash
--- a/app/email_handler.py
+++ b/app/email_handler.py
@ -149,6 +149,7 @@ from app.handler.unsubscribe_generator import UnsubscribeGenerator
 from app.handler.unsubscribe_handler import UnsubscribeHandler
 from app.log import LOG, set_message_id
 from app.mail_sender import sl_sendmail
 from app.mailbox_utils import get_mailbox_for_reply_phase
 from app.message_utils import message_to_bytes
 from app.models import (
    Alias,
@ -172,12 +173,14 @@ from app.pgp_utils import (
    sign_data,
    load_public_key_and_check,
 )
-from app.utils import sanitize_email, canonicalize_email
+from app.utils import sanitize_email
 from init_app import load_pgp_public_keys
 from server import create_light_app
-def get_or_create_contact(from_header: str, mail_from: str, alias: Alias) -> Contact:
+def get_or_create_contact(
    from_header: str, mail_from: str, alias: Alias
 ) -> Optional[Contact]:
    """
    contact_from_header is the RFC 2047 format FROM header
    """
@ -208,6 +211,8 @@ def get_or_create_contact(from_header: str, mail_from: str, alias: Alias) -> Con
        automatic_created=True,
        from_partner=False,
    )
    if contact_result.error:
        LOG.w(f"Error creating contact: {contact_result.error.value}")
    return contact_result.contact
@ -558,7 +563,7 @@ def handle_forward(envelope, msg: Message, rcpt_to: str) -> List[Tuple[bool, str
    if not user.is_active():
        LOG.w(f"User {user} has been soft deleted")
-        return False, status.E502
+        return [(False, status.E502)]
    if not user.can_send_or_receive():
        LOG.i(f"User {user} cannot receive emails")
@ -579,6 +584,8 @@ def handle_forward(envelope, msg: Message, rcpt_to: str) -> List[Tuple[bool, str
    from_header = get_header_unicode(msg[headers.FROM])
    LOG.d("Create or get contact for from_header:%s", from_header)
    contact = get_or_create_contact(from_header, envelope.mail_from, alias)
    if not contact:
        return [(False, status.E504)]
    alias = (
        contact.alias
    )  # In case the Session was closed in the get_or_create we re-fetch the alias
@ -593,6 +600,17 @@ def handle_forward(envelope, msg: Message, rcpt_to: str) -> List[Tuple[bool, str
        else:
            reply_to_contact = get_or_create_reply_to_contact(reply_to, alias, msg)
    if alias.user.delete_on is not None:
        LOG.d(f"user {user} is pending to be deleted. Do not forward")
        EmailLog.create(
            contact_id=contact.id,
            user_id=contact.user_id,
            blocked=True,
            alias_id=contact.alias_id,
            commit=True,
        )
        return [(True, status.E502)]
    if not alias.enabled or contact.block_forward:
        LOG.d("%s is disabled, do not forward", alias)
        EmailLog.create(
@ -1002,7 +1020,6 @@ def handle_reply(envelope, msg: Message, rcpt_to: str) -> (bool, str):
        return False, status.E503
    user = alias.user
    mail_from = envelope.mail_from
    if not user.can_send_or_receive():
        LOG.i(f"User {user} cannot send emails")
@ -1016,13 +1033,15 @@ def handle_reply(envelope, msg: Message, rcpt_to: str) -> (bool, str):
        return False, dmarc_delivery_status
    # Anti-spoofing
-    mailbox = get_mailbox_from_mail_from(mail_from, alias)
+    mailbox = get_mailbox_for_reply_phase(
        envelope.mail_from, get_header_unicode(msg[headers.FROM]), alias
    )
    if not mailbox:
        if alias.disable_email_spoofing_check:
            # ignore this error, use default alias mailbox
            LOG.w(
                "ignore unknown sender to reverse-alias %s: %s -> %s",
-                mail_from,
+                envelope.mail_from,
                alias,
                contact,
            )
@ -1361,32 +1380,6 @@ def replace_original_message_id(alias: Alias, email_log: EmailLog, msg: Message)
        msg[headers.REFERENCES] = " ".join(new_message_ids)
 def get_mailbox_from_mail_from(mail_from: str, alias) -> Optional[Mailbox]:
    """return the corresponding mailbox given the mail_from and alias
    Usually the mail_from=mailbox.email but it can also be one of the authorized address
    """
    def __check(email_address: str, alias: Alias) -> Optional[Mailbox]:
        for mailbox in alias.mailboxes:
            if mailbox.email == email_address:
                return mailbox
            for authorized_address in mailbox.authorized_addresses:
                if authorized_address.email == email_address:
                    LOG.d(
                        "Found an authorized address for %s %s %s",
                        alias,
                        mailbox,
                        authorized_address,
                    )
                    return mailbox
        return None
    # We need to first check for the uncanonicalized version because we still have users in the db with the
    # email non canonicalized. So if it matches the already existing one use that, otherwise check the canonical one
    return __check(mail_from, alias) or __check(canonicalize_email(mail_from), alias)
 def handle_unknown_mailbox(
    envelope, msg, reply_email: str, user: User, alias: Alias, contact: Contact
 ):
--- a/app/events/event_sink.py
+++ b/app/events/event_sink.py
@ -12,6 +12,10 @@ class EventSink(ABC):
    def process(self, event: SyncEvent) -> bool:
        pass
    @abstractmethod
    def send_data_to_webhook(self, data: bytes) -> bool:
        pass
 class HttpEventSink(EventSink):
    def process(self, event: SyncEvent) -> bool:
@ -21,9 +25,16 @@ class HttpEventSink(EventSink):
        LOG.info(f"Sending event {event.id} to {EVENT_WEBHOOK}")
        if self.send_data_to_webhook(event.content):
            LOG.info(f"Event {event.id} sent successfully to webhook")
            return True
        return False
    def send_data_to_webhook(self, data: bytes) -> bool:
        res = requests.post(
            url=EVENT_WEBHOOK,
-            data=event.content,
+            data=data,
            headers={"Content-Type": "application/x-protobuf"},
            verify=not EVENT_WEBHOOK_SKIP_VERIFY_SSL,
        )
@ -36,7 +47,6 @@ class HttpEventSink(EventSink):
            )
            return False
        else:
            LOG.info(f"Event {event.id} sent successfully to webhook")
            return True
@ -44,3 +54,7 @@ class ConsoleEventSink(EventSink):
    def process(self, event: SyncEvent) -> bool:
        LOG.info(f"Handling event {event.id}")
        return True
    def send_data_to_webhook(self, data: bytes) -> bool:
        LOG.info(f"Sending {len(data)} bytes to webhook")
        return True
--- a/app/job_runner.py
+++ b/app/job_runner.py
@ -18,6 +18,7 @@ from app.events.event_dispatcher import PostgresDispatcher
 from app.import_utils import handle_batch_import
 from app.jobs.event_jobs import send_alias_creation_events_for_user
 from app.jobs.export_user_data_job import ExportUserDataJob
 from app.jobs.send_event_job import SendEventToWebhookJob
 from app.log import LOG
 from app.models import User, Job, BatchImport, Mailbox, CustomDomain, JobState
 from app.user_audit_log_utils import emit_user_audit_log, UserAuditLogAction
@ -163,6 +164,8 @@ def delete_mailbox_job(job: Job):
    Session.commit()
    LOG.d("Mailbox %s %s deleted", mailbox_id, mailbox_email)
    if not job.payload.get("send_mail", True):
        return
    if alias_transferred_to:
        send_email(
            user.email,
@ -300,6 +303,10 @@ def process_job(job: Job):
            send_alias_creation_events_for_user(
                user, dispatcher=PostgresDispatcher.get()
            )
    elif job.name == config.JOB_SEND_EVENT_TO_WEBHOOK:
        send_job = SendEventToWebhookJob.create_from_job(job)
        if send_job:
            send_job.run()
    else:
        LOG.e("Unknown job name %s", job.name)
--- a/app/local_data/words.txt
+++ b/app/local_data/words.txt
@ -1,6 +1,4 @@
 abacus
 abdomen
 abdominal
 abide
 abiding
 ability
@ -1031,7 +1029,6 @@ chosen
 chowder
 chowtime
 chrome
 chubby
 chuck
 chug
 chummy
@ -2041,8 +2038,6 @@ dwindling
 dynamic
 dynamite
 dynasty
 dyslexia
 dyslexic
 each
 eagle
 earache
@ -2081,7 +2076,6 @@ eatery
 eating
 eats
 ebay
 ebony
 ebook
 ecard
 eccentric
@ -2375,8 +2369,6 @@ exclude
 excluding
 exclusion
 exclusive
 excretion
 excretory
 excursion
 excusable
 excusably
@ -2396,8 +2388,6 @@ existing
 exit
 exodus
 exonerate
 exorcism
 exorcist
 expand
 expanse
 expansion
@ -2483,7 +2473,6 @@ fanning
 fantasize
 fantastic
 fantasy
 fascism
 fastball
 faster
 fasting
@ -3028,7 +3017,6 @@ guiding
 guileless
 guise
 gulf
 gullible
 gully
 gulp
 gumball
@ -3040,10 +3028,6 @@ gurgle
 gurgling
 guru
 gush
 gusto
 gusty
 gutless
 guts
 gutter
 guy
 guzzler
@ -3242,8 +3226,6 @@ humble
 humbling
 humbly
 humid
 humiliate
 humility
 humming
 hummus
 humongous
@ -3271,7 +3253,6 @@ hurray
 hurricane
 hurried
 hurry
 hurt
 husband
 hush
 husked
@ -3292,8 +3273,6 @@ hypnotic
 hypnotism
 hypnotist
 hypnotize
 hypocrisy
 hypocrite
 ibuprofen
 ice
 iciness
@ -3323,7 +3302,6 @@ image
 imaginary
 imagines
 imaging
 imbecile
 imitate
 imitation
 immerse
@ -3746,7 +3724,6 @@ machine
 machinist
 magazine
 magenta
 maggot
 magical
 magician
 magma
@ -3968,8 +3945,6 @@ multitude
 mumble
 mumbling
 mumbo
 mummified
 mummify
 mumps
 munchkin
 mundane
@ -4022,8 +3997,6 @@ napped
 napping
 nappy
 narrow
 nastily
 nastiness
 national
 native
 nativity
@ -4446,7 +4419,6 @@ pasta
 pasted
 pastel
 pastime
 pastor
 pastrami
 pasture
 pasty
@ -4458,7 +4430,6 @@ path
 patience
 patient
 patio
 patriarch
 patriot
 patrol
 patronage
@ -4549,7 +4520,6 @@ pettiness
 petty
 petunia
 phantom
 phobia
 phoenix
 phonebook
 phoney
@ -4608,7 +4578,6 @@ plot
 plow
 ploy
 pluck
 plug
 plunder
 plunging
 plural
@ -4875,7 +4844,6 @@ pupil
 puppet
 puppy
 purchase
 pureblood
 purebred
 purely
 pureness
@ -5047,7 +5015,6 @@ recharger
 recipient
 recital
 recite
 reckless
 reclaim
 recliner
 reclining
@ -5440,7 +5407,6 @@ rubdown
 ruby
 ruckus
 rudder
 rug
 ruined
 rule
 rumble
@ -5448,7 +5414,6 @@ rumbling
 rummage
 rumor
 runaround
 rundown
 runner
 running
 runny
@ -5518,7 +5483,6 @@ sandpaper
 sandpit
 sandstone
 sandstorm
 sandworm
 sandy
 sanitary
 sanitizer
@ -5541,7 +5505,6 @@ satisfy
 saturate
 saturday
 sauciness
 saucy
 sauna
 savage
 savanna
@ -5552,7 +5515,6 @@ savor
 saxophone
 say
 scabbed
 scabby
 scalded
 scalding
 scale
@ -5587,7 +5549,6 @@ science
 scientist
 scion
 scoff
 scolding
 scone
 scoop
 scooter
@ -5651,8 +5612,6 @@ sedate
 sedation
 sedative
 sediment
 seduce
 seducing
 segment
 seismic
 seizing
@ -5899,7 +5858,6 @@ skimpily
 skincare
 skinless
 skinning
 skinny
 skintight
 skipper
 skipping
@ -6248,17 +6206,12 @@ stifle
 stifling
 stillness
 stilt
 stimulant
 stimulate
 stimuli
 stimulus
 stinger
 stingily
 stinging
 stingray
 stingy
 stinking
 stinky
 stipend
 stipulate
 stir
@ -6866,7 +6819,6 @@ unbent
 unbiased
 unbitten
 unblended
 unblessed
 unblock
 unbolted
 unbounded
@ -6947,7 +6899,6 @@ undertone
 undertook
 undertow
 underuse
 underwear
 underwent
 underwire
 undesired
@ -7000,7 +6951,6 @@ unfunded
 unglazed
 ungloved
 unglue
 ungodly
 ungraded
 ungreased
 unguarded
@ -7032,7 +6982,6 @@ uninsured
 uninvited
 union
 uniquely
 unisexual
 unison
 unissued
 unit
@ -7493,8 +7442,6 @@ wheat
 whenever
 whiff
 whimsical
 whinny
 whiny
 whisking
 whoever
 whole
@ -7600,7 +7547,6 @@ wrongness
 wrought
 xbox
 xerox
 yahoo
 yam
 yanking
 yapping
--- a/app/migrations/versions/2024_110610_4882cc49dde9_preserve_user_id_on_alias_delete.py
+++ b/app/migrations/versions/2024_110610_4882cc49dde9_preserve_user_id_on_alias_delete.py
@ -0,0 +1,28 @@
 """Preserve user id on alias delete
 Revision ID: 4882cc49dde9
 Revises: 32f25cbf12f6
 Create Date: 2024-11-06 10:10:40.235991
 """
 from alembic import op
 import sqlalchemy as sa
 # revision identifiers, used by Alembic.
 revision = '4882cc49dde9'
 down_revision = '32f25cbf12f6'
 branch_labels = None
 depends_on = None
 def upgrade():
    op.add_column('deleted_alias', sa.Column('user_id', sa.Integer(), server_default=None, nullable=True))
    with op.get_context().autocommit_block():
        op.create_index('ix_deleted_alias_user_id_created_at', 'deleted_alias', ['user_id', 'created_at'], unique=False, postgresql_concurrently=True)
 def downgrade():
    with op.get_context().autocommit_block():
        op.drop_index('ix_deleted_alias_user_id_created_at', table_name='deleted_alias')
    op.drop_column('deleted_alias', 'user_id')
--- a/app/migrations/versions/2024_110612_bc9aa210efa3_revert_user_id_in_deleted_alias.py
+++ b/app/migrations/versions/2024_110612_bc9aa210efa3_revert_user_id_in_deleted_alias.py
@ -0,0 +1,28 @@
 """Revert user id on deleted alias
 Revision ID: bc9aa210efa3
 Revises: 4882cc49dde9
 Create Date: 2024-11-06 12:44:44.129691
 """
 from alembic import op
 import sqlalchemy as sa
 # revision identifiers, used by Alembic.
 revision = 'bc9aa210efa3'
 down_revision = '4882cc49dde9'
 branch_labels = None
 depends_on = None
 def upgrade():
    with op.get_context().autocommit_block():
        op.drop_index('ix_deleted_alias_user_id_created_at', table_name='deleted_alias')
    op.drop_column('deleted_alias', 'user_id')
 def downgrade():
    op.add_column('deleted_alias', sa.Column('user_id', sa.Integer(), server_default=None, nullable=True))
    with op.get_context().autocommit_block():
        op.create_index('ix_deleted_alias_user_id_created_at', 'deleted_alias', ['user_id', 'created_at'], unique=False, postgresql_concurrently=True)
--- a/app/migrations/versions/2024_111315_842ac670096e_add_missing_indices_on_user_and_mailbox.py
+++ b/app/migrations/versions/2024_111315_842ac670096e_add_missing_indices_on_user_and_mailbox.py
@ -0,0 +1,30 @@
 """add missing indices on user and mailbox
 Revision ID: 842ac670096e
 Revises: bc9aa210efa3
 Create Date: 2024-11-13 15:55:28.798506
 """
 import sqlalchemy_utils
 from alembic import op
 import sqlalchemy as sa
 # revision identifiers, used by Alembic.
 revision = '842ac670096e'
 down_revision = 'bc9aa210efa3'
 branch_labels = None
 depends_on = None
 def upgrade():
    with op.get_context().autocommit_block():
        op.create_index('ix_mailbox_pgp_finger_print', 'mailbox', ['pgp_finger_print'], unique=False)
        op.create_index('ix_users_default_mailbox_id', 'users', ['default_mailbox_id'], unique=False)
    # ### end Alembic commands ###
 def downgrade():
    with op.get_context().autocommit_block():
        op.drop_index('ix_users_default_mailbox_id', table_name='users')
        op.drop_index('ix_mailbox_pgp_finger_print', table_name='mailbox')
--- a/app/migrations/versions/2024_111410_12274da2299f_add_missing_indices_on_email_log.py
+++ b/app/migrations/versions/2024_111410_12274da2299f_add_missing_indices_on_email_log.py
@ -0,0 +1,29 @@
 """add missing indices on email log
 Revision ID: 12274da2299f
 Revises: 842ac670096e
 Create Date: 2024-11-14 10:27:20.371191
 """
 import sqlalchemy_utils
 from alembic import op
 import sqlalchemy as sa
 # revision identifiers, used by Alembic.
 revision = '12274da2299f'
 down_revision = '842ac670096e'
 branch_labels = None
 depends_on = None
 def upgrade():
    with op.get_context().autocommit_block():
        op.create_index('ix_email_log_bounced_mailbox_id', 'email_log', ['bounced_mailbox_id'], unique=False)
        op.create_index('ix_email_log_mailbox_id', 'email_log', ['mailbox_id'], unique=False)
 def downgrade():
    with op.get_context().autocommit_block():
        op.drop_index('ix_email_log_mailbox_id', table_name='email_log')
        op.drop_index('ix_email_log_bounced_mailbox_id', table_name='email_log')
--- a/app/migrations/versions/2024_111512_0f3ee15b0014_add_missing_indices_for_fk_constraints.py
+++ b/app/migrations/versions/2024_111512_0f3ee15b0014_add_missing_indices_for_fk_constraints.py
@ -0,0 +1,102 @@
 """add missing indices for fk constraints
 Revision ID: 0f3ee15b0014
 Revises: 12274da2299f
 Create Date: 2024-11-15 12:29:10.739938
 """
 import sqlalchemy_utils
 from alembic import op
 import sqlalchemy as sa
 # revision identifiers, used by Alembic.
 revision = '0f3ee15b0014'
 down_revision = '12274da2299f'
 branch_labels = None
 depends_on = None
 def upgrade():
    with op.get_context().autocommit_block():
        op.create_index('ix_activation_code_user_id', 'activation_code', ['user_id'], unique=False, postgresql_concurrently=True)
        op.create_index('ix_alias_original_owner_id', 'alias', ['original_owner_id'], unique=False, postgresql_concurrently=True)
        op.create_index('ix_alias_used_on_user_id', 'alias_used_on', ['user_id'], unique=False, postgresql_concurrently=True)
        op.create_index('ix_api_to_cookie_token_api_key_id', 'api_cookie_token', ['api_key_id'], unique=False, postgresql_concurrently=True)
        op.create_index('ix_api_to_cookie_token_user_id', 'api_cookie_token', ['user_id'], unique=False, postgresql_concurrently=True)
        op.create_index('ix_api_key_code', 'api_key', ['code'], unique=False, postgresql_concurrently=True)
        op.create_index('ix_api_key_user_id', 'api_key', ['user_id'], unique=False, postgresql_concurrently=True)
        op.create_index('ix_authorization_code_client_id', 'authorization_code', ['client_id'], unique=False, postgresql_concurrently=True)
        op.create_index('ix_authorization_code_user_id', 'authorization_code', ['user_id'], unique=False, postgresql_concurrently=True)
        op.create_index('ix_authorized_address_user_id', 'authorized_address', ['user_id'], unique=False, postgresql_concurrently=True)
        op.create_index('ix_auto_create_rule_custom_domain_id', 'auto_create_rule', ['custom_domain_id'], unique=False, postgresql_concurrently=True)
        op.create_index('ix_batch_import_file_id', 'batch_import', ['file_id'], unique=False, postgresql_concurrently=True)
        op.create_index('ix_batch_import_user_id', 'batch_import', ['user_id'], unique=False, postgresql_concurrently=True)
        op.create_index('ix_client_icon_id', 'client', ['icon_id'], unique=False, postgresql_concurrently=True)
        op.create_index('ix_client_referral_id', 'client', ['referral_id'], unique=False, postgresql_concurrently=True)
        op.create_index('ix_client_user_id', 'client', ['user_id'], unique=False, postgresql_concurrently=True)
        op.create_index('ix_coupon_used_by_user_id', 'coupon', ['used_by_user_id'], unique=False, postgresql_concurrently=True)
        op.create_index('ix_directory_user_id', 'directory', ['user_id'], unique=False, postgresql_concurrently=True)
        op.create_index('ix_domain_deleted_alias_user_id', 'domain_deleted_alias', ['user_id'], unique=False, postgresql_concurrently=True)
        op.create_index('ix_email_log_refused_email_id', 'email_log', ['refused_email_id'], unique=False, postgresql_concurrently=True)
        op.create_index('ix_fido_user_id', 'fido', ['user_id'], unique=False, postgresql_concurrently=True)
        op.create_index('ix_file_user_id', 'file', ['user_id'], unique=False, postgresql_concurrently=True)
        op.create_index('ix_hibp_notified_alias_user_id', 'hibp_notified_alias', ['user_id'], unique=False, postgresql_concurrently=True)
        op.create_index('ix_mfa_browser_user_id', 'mfa_browser', ['user_id'], unique=False, postgresql_concurrently=True)
        op.create_index('ix_newsletter_user_user_id', 'newsletter_user', ['user_id'], unique=False, postgresql_concurrently=True)
        op.create_index('ix_oauth_token_client_id', 'oauth_token', ['client_id'], unique=False, postgresql_concurrently=True)
        op.create_index('ix_oauth_token_user_id', 'oauth_token', ['user_id'], unique=False, postgresql_concurrently=True)
        op.create_index('ix_payout_user_id', 'payout', ['user_id'], unique=False, postgresql_concurrently=True)
        op.create_index('ix_phone_reservation_user_id', 'phone_reservation', ['user_id'], unique=False, postgresql_concurrently=True)
        op.create_index('ix_provider_complaint_refused_email_id', 'provider_complaint', ['refused_email_id'], unique=False, postgresql_concurrently=True)
        op.create_index('ix_provider_complaint_user_id', 'provider_complaint', ['user_id'], unique=False, postgresql_concurrently=True)
        op.create_index('ix_redirect_uri_client_id', 'redirect_uri', ['client_id'], unique=False, postgresql_concurrently=True)
        op.create_index('ix_referral_user_id', 'referral', ['user_id'], unique=False, postgresql_concurrently=True)
        op.create_index('ix_refused_email_user_id', 'refused_email', ['user_id'], unique=False, postgresql_concurrently=True)
        op.create_index('ix_reset_password_code_user_id', 'reset_password_code', ['user_id'], unique=False, postgresql_concurrently=True)
        op.create_index('ix_sent_alert_user_id', 'sent_alert', ['user_id'], unique=False, postgresql_concurrently=True)
        op.create_index('ix_users_default_alias_custom_domain_id', 'users', ['default_alias_custom_domain_id'], unique=False, postgresql_concurrently=True)
        op.create_index('ix_users_profile_picture_id', 'users', ['profile_picture_id'], unique=False, postgresql_concurrently=True)
 def downgrade():
    with op.get_context().autocommit_block():
        op.drop_index('ix_users_profile_picture_id', table_name='users')
        op.drop_index('ix_users_default_alias_custom_domain_id', table_name='users')
        op.drop_index('ix_sent_alert_user_id', table_name='sent_alert')
        op.drop_index('ix_reset_password_code_user_id', table_name='reset_password_code')
        op.drop_index('ix_refused_email_user_id', table_name='refused_email')
        op.drop_index('ix_referral_user_id', table_name='referral')
        op.drop_index('ix_redirect_uri_client_id', table_name='redirect_uri')
        op.drop_index('ix_provider_complaint_user_id', table_name='provider_complaint')
        op.drop_index('ix_provider_complaint_refused_email_id', table_name='provider_complaint')
        op.drop_index('ix_phone_reservation_user_id', table_name='phone_reservation')
        op.drop_index('ix_payout_user_id', table_name='payout')
        op.drop_index('ix_oauth_token_user_id', table_name='oauth_token')
        op.drop_index('ix_oauth_token_client_id', table_name='oauth_token')
        op.drop_index('ix_newsletter_user_user_id', table_name='newsletter_user')
        op.drop_index('ix_mfa_browser_user_id', table_name='mfa_browser')
        op.drop_index('ix_hibp_notified_alias_user_id', table_name='hibp_notified_alias')
        op.drop_index('ix_file_user_id', table_name='file')
        op.drop_index('ix_fido_user_id', table_name='fido')
        op.drop_index('ix_email_log_refused_email_id', table_name='email_log')
        op.drop_index('ix_domain_deleted_alias_user_id', table_name='domain_deleted_alias')
        op.drop_index('ix_directory_user_id', table_name='directory')
        op.drop_index('ix_coupon_used_by_user_id', table_name='coupon')
        op.drop_index('ix_client_user_id', table_name='client')
        op.drop_index('ix_client_referral_id', table_name='client')
        op.drop_index('ix_client_icon_id', table_name='client')
        op.drop_index('ix_batch_import_user_id', table_name='batch_import')
        op.drop_index('ix_batch_import_file_id', table_name='batch_import')
        op.drop_index('ix_auto_create_rule_custom_domain_id', table_name='auto_create_rule')
        op.drop_index('ix_authorized_address_user_id', table_name='authorized_address')
        op.drop_index('ix_authorization_code_user_id', table_name='authorization_code')
        op.drop_index('ix_authorization_code_client_id', table_name='authorization_code')
        op.drop_index('ix_api_key_user_id', table_name='api_key')
        op.drop_index('ix_api_key_code', table_name='api_key')
        op.drop_index('ix_api_to_cookie_token_user_id', table_name='api_cookie_token')
        op.drop_index('ix_api_to_cookie_token_api_key_id', table_name='api_cookie_token')
        op.drop_index('ix_alias_used_on_user_id', table_name='alias_used_on')
        op.drop_index('ix_alias_original_owner_id', table_name='alias')
        op.drop_index('ix_activation_code_user_id', table_name='activation_code')
--- a/app/migrations/versions/2024_112619_085f77996ce3_.py
+++ b/app/migrations/versions/2024_112619_085f77996ce3_.py
@ -0,0 +1,35 @@
 """empty message
 Revision ID: 085f77996ce3
 Revises: 0f3ee15b0014
 Create Date: 2024-11-26 19:20:32.227899
 """
 import sqlalchemy_utils
 from alembic import op
 import sqlalchemy as sa
 from sqlalchemy.dialects import postgresql
 # revision identifiers, used by Alembic.
 revision = '085f77996ce3'
 down_revision = '0f3ee15b0014'
 branch_labels = None
 depends_on = None
 def upgrade():
    # ### commands auto generated by Alembic - please adjust! ###
    op.add_column('partner_subscription', sa.Column('lifetime', sa.Boolean(), server_default='0', nullable=False))
    op.alter_column('partner_subscription', 'end_at',
               existing_type=postgresql.TIMESTAMP(),
               nullable=True)
    # ### end Alembic commands ###
 def downgrade():
    # ### commands auto generated by Alembic - please adjust! ###
    op.alter_column('partner_subscription', 'end_at',
               existing_type=postgresql.TIMESTAMP(),
               nullable=False)
    op.drop_column('partner_subscription', 'lifetime')
    # ### end Alembic commands ###
--- a/app/oneshot/send_lifetime_user_events.py
+++ b/app/oneshot/send_lifetime_user_events.py
@ -0,0 +1,62 @@
 #!/usr/bin/env python3
 import argparse
 import time
 import arrow
 from sqlalchemy import func
 from app.events.event_dispatcher import EventDispatcher
 from app.events.generated.event_pb2 import UserPlanChanged, EventContent
 from app.models import PartnerUser, User
 from app.db import Session
 parser = argparse.ArgumentParser(
    prog="Backfill alias", description="Send lifetime users to proton"
 )
 parser.add_argument(
    "-s", "--start_pu_id", default=0, type=int, help="Initial partner_user_id"
 )
 parser.add_argument(
    "-e", "--end_pu_id", default=0, type=int, help="Last partner_user_id"
 )
 args = parser.parse_args()
 pu_id_start = args.start_pu_id
 max_pu_id = args.end_pu_id
 if max_pu_id == 0:
    max_pu_id = Session.query(func.max(PartnerUser.id)).scalar()
 print(f"Checking partner user {pu_id_start} to {max_pu_id}")
 step = 1000
 done = 0
 start_time = time.time()
 with_lifetime = 0
 for batch_start in range(pu_id_start, max_pu_id, step):
    users = (
        Session.query(User)
        .join(PartnerUser, PartnerUser.user_id == User.id)
        .filter(
            PartnerUser.id >= batch_start,
            PartnerUser.id < batch_start + step,
            User.lifetime == True,  # noqa :E712
        )
    ).all()
    for user in users:
        # Just in case the == True cond is wonky
        if not user.lifetime:
            continue
        with_lifetime += 1
        event = UserPlanChanged(plan_end_time=arrow.get("2038-01-01").timestamp)
        EventDispatcher.send_event(user, EventContent(user_plan_change=event))
        Session.flush()
    Session.commit()
    elapsed = time.time() - start_time
    last_batch_id = batch_start + step
    time_per_alias = elapsed / (last_batch_id)
    remaining = max_pu_id - last_batch_id
    time_remaining = remaining / time_per_alias
    hours_remaining = time_remaining / 60.0
    print(
        f"\PartnerUser {batch_start}/{max_pu_id} {with_lifetime} {hours_remaining:.2f} mins remaining"
    )
 print(f"With SL lifetime {with_lifetime}")
--- a/app/oneshot/send_plan_change_events.py
+++ b/app/oneshot/send_plan_change_events.py
@ -2,10 +2,10 @@
 import argparse
 import time
 import arrow
 from sqlalchemy import func
-from app.events.event_dispatcher import EventDispatcher
+from app.account_linking import send_user_plan_changed_event
 from app.events.generated.event_pb2 import UserPlanChanged, EventContent
 from app.models import PartnerUser
 from app.db import Session
@ -30,6 +30,7 @@ step = 100
 updated = 0
 start_time = time.time()
 with_premium = 0
 with_lifetime = 0
 for batch_start in range(pu_id_start, max_pu_id, step):
    partner_users = (
        Session.query(PartnerUser).filter(
@ -37,18 +38,12 @@ for batch_start in range(pu_id_start, max_pu_id, step):
        )
    ).all()
    for partner_user in partner_users:
-        subscription_end = partner_user.user.get_active_subscription_end(
+        subscription_end = send_user_plan_changed_event(partner_user)
-            include_partner_subscription=False
+        if subscription_end is not None:
-        )
+            if subscription_end > arrow.get("2038-01-01").timestamp:
-        end_timestamp = None
+                with_lifetime += 1
-        if subscription_end:
+            else:
-            with_premium += 1
+                with_premium += 1
            end_timestamp = subscription_end.timestamp
        event = UserPlanChanged(plan_end_time=end_timestamp)
        EventDispatcher.send_event(
            partner_user.user, EventContent(user_plan_change=event)
        )
        Session.flush()
        updated += 1
    Session.commit()
    elapsed = time.time() - start_time
@ -60,4 +55,4 @@ for batch_start in range(pu_id_start, max_pu_id, step):
    print(
        f"\PartnerUser {batch_start}/{max_pu_id} {updated} {hours_remaining:.2f} mins remaining"
    )
-print(f"With SL premium {with_premium}")
+print(f"With SL premium {with_premium} lifetime {with_lifetime}")
--- a/app/pyproject.toml
+++ b/app/pyproject.toml
@ -1,20 +1,100 @@
 [project]
 name = "SimpleLogin"
 version = "0.1.0"
 description = "SimpleLogin partner API"
 authors = [ {name="SimpleLogin", email="dev@simplelogin.io"}]
 license = "MIT"
 repository = "https://github.com/simple-login/app"
 keywords = ["email", "alias", "privacy", "oauth2", "openid"]
 packages = [
    { include = "app/" },
    { include = "migrations/" },
 ]
 include = ["templates/*", "templates/**/*", "local_data/*.txt"]
 requires-python = "~=3.10"
 dependencies = [
    "flask ~= 1.1.2",
    "flask_login ~= 0.5.0",
    "wtforms ~= 2.3.3",
    "unidecode ~= 1.1.1",
    "gunicorn ~= 20.0.4",
    "bcrypt ~= 3.2.0",
    "python-dotenv ~= 0.14.0",
    "ipython ~= 7.31.1",
    "sqlalchemy_utils ~= 0.36.8",
    "psycopg2-binary ~= 2.9.3",
    "sentry_sdk ~= 2.20.0",
    "blinker ~= 1.4",
    "arrow ~= 0.16.0",
    "Flask-WTF ~= 0.14.3",
    "boto3 ~= 1.35.37",
    "Flask-Migrate ~= 2.5.3",
    "flask_admin ~= 1.5.6",
    "flask-cors ~= 3.0.9",
    "watchtower ~= 0.8.0",
    "sqlalchemy-utils == 0.36.8",
    "jwcrypto ~= 0.8",
    "yacron>=0.19.0",
    "flask-debugtoolbar ~= 0.11.0",
    "requests_oauthlib ~= 1.3.0",
    "pyopenssl ~= 19.1.0",
    "aiosmtpd ~= 1.2",
    "dnspython == 2.6.1",
    "coloredlogs ~= 14.0",
    "pycryptodome ~= 3.9.8",
    "phpserialize ~= 1.3",
    "dkimpy ~= 1.0.5",
    "pyotp ~= 2.4.0",
    "flask_profiler ~= 1.8.1",
    "facebook-sdk ~= 3.1.0",
    "google-api-python-client ~= 1.12.3",
    "google-auth-httplib2 ~= 0.0.4",
    "python-gnupg ~= 0.4.6",
    "webauthn ~= 0.4.7",
    "pyspf ~= 2.0.14",
    "Flask-Limiter == 1.4",
    "memory_profiler ~= 0.57.0",
    "gevent ~= 24.11.1",
    "email-validator ~= 1.1.3",
    "PGPy == 0.5.4",
    "coinbase-commerce ~= 1.0.1",
    "requests ~= 2.25.1",
    "newrelic ~= 8.8.0",
    "flanker ~= 0.9.11",
    "pyre2 ~= 0.3.6",
    "tldextract ~= 3.1.2",
    "flask-debugtoolbar-sqlalchemy ~= 0.2.0",
    "twilio ~= 7.3.2",
    "Deprecated ~= 1.2.13",
    "MarkupSafe~=1.1.1",
    "cryptography ~= 37.0.1",
    "SQLAlchemy ~= 1.3.24",
    "redis ~= 4.5.3",
    "newrelic-telemetry-sdk ~= 0.5.0",
    "aiospamc == 0.10",
    "itsdangerous ~= 1.1.0",
    "werkzeug ~= 1.0.1",
 ]
 [tool.black]
 target-version = ['py310']
 exclude = '''
 (
-  /(
+ /(
-      \.eggs         # exclude a few common directories in the
+   \.eggs         # exclude a few common directories in the
-    | \.git          # root of the project
+   | \.git          # root of the project
-    | \.hg
+   | \.hg
-    | \.mypy_cache
+   | \.mypy_cache
-    | \.tox
+   | \.tox
-    | \.venv
+   | \.venv
-    | _build
+   | _build
-    | buck-out
+   | buck-out
-    | build
+   | build
-    | dist
+   | dist
-    | migrations    # migrations/ is generated by alembic
+   | migrations    # migrations/ is generated by alembic
-    | app/events/generated
+   | app/events/generated
  )/
 )
 '''
@ -27,7 +107,6 @@ exclude = [".venv", "migrations", "app/events/generated"]
 indent = 2
 profile = "jinja"
 blank_line_after_tag = "if,for,include,load,extends,block,endcall"
 # H006: Images should have a height attribute
 # H013: Images should have an alt attribute
 # H016: Missing title tag in html. | False positive on template
@ -43,92 +122,26 @@ blank_line_after_tag = "if,for,include,load,extends,block,endcall"
 # T001: Variables should be wrapped in a single whitespace. | Messes up with comments
 ignore = "H006,H013,H016,H017,H019,H021,H025,H030,H031,T003,J004,J018,T001"
-[tool.poetry]
+[tool.uv]
-name = "SimpleLogin"
+dev-dependencies = [
-version = "0.1.0"
+    "pytest ~= 7.0.0",
-description = "open-source email alias solution"
+    "pytest-cov ~= 3.0.0",
-authors = ["SimpleLogin <dev@simplelogin.io>"]
+    "pre-commit ~= 2.17.0",
-license = "MIT"
+    "black ~= 22.1.0",
-repository = "https://github.com/simple-login/app"
+    "djlint ~= 1.3.0",
-keywords = ["email", "alias", "privacy", "oauth2", "openid"]
+    "pylint ~= 2.14.4",
-packages = [
+    "ruff ~= 0.1.5",
  { include = "app/" },
  { include = "migrations/" },
 ]
 include = ["templates/*", "templates/**/*", "local_data/*.txt"]
 [tool.poetry.dependencies]
 python = "^3.10"
 flask = "^1.1.2"
 flask_login = "^0.5.0"
 wtforms = "^2.3.3"
 unidecode = "^1.1.1"
 gunicorn = "^20.0.4"
 bcrypt = "^3.2.0"
 python-dotenv = "^0.14.0"
 ipython = "^7.31.1"
 sqlalchemy_utils = "^0.36.8"
 psycopg2-binary = "^2.9.3"
 sentry_sdk = "^2.16.0"
 blinker = "^1.4"
 arrow = "^0.16.0"
 Flask-WTF = "^0.14.3"
 boto3 = "^1.15.9"
 Flask-Migrate = "^2.5.3"
 flask_admin = "^1.5.6"
 flask-cors = "^3.0.9"
 watchtower = "^0.8.0"
 sqlalchemy-utils = "^0.36.8"
 jwcrypto = "^0.8"
 yacron = "^0.11.1"
 flask-debugtoolbar = "^0.11.0"
 requests_oauthlib = "^1.3.0"
 pyopenssl = "^19.1.0"
 aiosmtpd = "^1.2"
 dnspython = "^2.0.0"
 coloredlogs = "^14.0"
 pycryptodome = "^3.9.8"
 phpserialize = "^1.3"
 dkimpy = "^1.0.5"
 pyotp = "^2.4.0"
 flask_profiler = "^1.8.1"
 facebook-sdk = "^3.1.0"
 google-api-python-client = "^1.12.3"
 google-auth-httplib2 = "^0.0.4"
 python-gnupg = "^0.4.6"
 webauthn = "^0.4.7"
 pyspf = "^2.0.14"
 Flask-Limiter = "^1.4"
 memory_profiler = "^0.57.0"
 gevent = "22.10.2"
 email_validator = "^1.1.1"
 PGPy = "0.5.4"
 coinbase-commerce = "^1.0.1"
 requests = "^2.25.1"
 newrelic = "8.8.0"
 flanker = "^0.9.11"
 pyre2 = "^0.3.6"
 tldextract = "^3.1.2"
 flask-debugtoolbar-sqlalchemy = "^0.2.0"
 twilio = "^7.3.2"
 Deprecated = "^1.2.13"
 cryptography = "37.0.1"
 SQLAlchemy = "1.3.24"
 redis = "^4.5.3"
 newrelic-telemetry-sdk = "^0.5.0"
 aiospamc = "0.10"
 [tool.poetry.dev-dependencies]
 pytest = "^7.0.0"
 pytest-cov = "^3.0.0"
 black = "^22.1.0"
 djlint = "^1.3.0"
 pylint = "^2.14.4"
 [tool.poetry.group.dev.dependencies]
 ruff = "^0.1.5"
 pre-commit = "^3.8.0"
 [build-system]
-requires = ["poetry>=0.12"]
+requires = ["hatchling"]
-build-backend = "poetry.masonry.api"
+build-backend = "hatchling.build"
 [tool.hatch.metadata]
 allow-direct-references = true
 [tool.hatch.build.targets.sdist]
 include = ["app", "local_data", "migrations", "templates"]
 [tool.hatch.build.targets.wheel]
 packages = ["app", "local_data", "migrations", "templates"]
--- a/app/requirements-dev.lock
+++ b/app/requirements-dev.lock
@ -0,0 +1,469 @@
 # generated by rye
 # use `rye lock` or `rye sync` to update this lockfile
 #
 # last locked with the following flags:
 #   pre: false
 #   features: []
 #   all-features: false
 #   with-sources: false
 #   generate-hashes: false
 #   universal: false
 -e file:.
 aiohappyeyeballs==2.4.4
    # via aiohttp
 aiohttp==3.11.11
    # via yacron
 aiosignal==1.3.2
    # via aiohttp
 aiosmtpd==1.4.6
    # via simplelogin
 aiosmtplib==3.0.2
    # via yacron
 aiospamc==0.10.0
    # via simplelogin
 alembic==1.14.0
    # via flask-migrate
 appnope==0.1.4
    # via ipython
 arrow==0.16.0
    # via simplelogin
 astroid==2.11.7
    # via pylint
 async-timeout==5.0.1
    # via aiohttp
    # via redis
 atpublic==5.0
    # via aiosmtpd
 attrs==24.3.0
    # via aiohttp
    # via aiosmtpd
    # via flanker
    # via pytest
 backcall==0.2.0
    # via ipython
 bcrypt==3.2.2
    # via simplelogin
 black==22.1.0
 blinker==1.9.0
    # via flask-debugtoolbar
    # via simplelogin
 boto3==1.35.99
    # via simplelogin
    # via watchtower
 botocore==1.35.99
    # via boto3
    # via s3transfer
 cachetools==5.5.0
    # via google-auth
 cbor2==5.6.5
    # via webauthn
 certifi==2024.12.14
    # via aiospamc
    # via requests
    # via sentry-sdk
 cffi==1.17.1
    # via bcrypt
    # via cryptography
 cfgv==3.4.0
    # via pre-commit
 chardet==4.0.0
    # via flanker
    # via requests
 click==8.1.8
    # via black
    # via djlint
    # via flask
    # via typer
 coinbase-commerce==1.0.1
    # via simplelogin
 colorama==0.4.6
    # via djlint
 coloredlogs==14.3
    # via simplelogin
 coverage==7.6.10
    # via pytest-cov
 crontab==0.22.8
    # via yacron
 cryptography==37.0.4
    # via flanker
    # via jwcrypto
    # via pgpy
    # via pyopenssl
    # via simplelogin
    # via webauthn
 decorator==5.1.1
    # via ipython
 deprecated==1.2.15
    # via jwcrypto
    # via limits
    # via simplelogin
 dill==0.3.9
    # via pylint
 distlib==0.3.9
    # via virtualenv
 djlint==1.3.0
 dkimpy==1.0.6
    # via simplelogin
 dnspython==2.6.1
    # via dkimpy
    # via email-validator
    # via simplelogin
 email-validator==1.1.3
    # via simplelogin
 facebook-sdk==3.1.0
    # via simplelogin
 filelock==3.16.1
    # via tldextract
    # via virtualenv
 flanker==0.9.11
    # via simplelogin
 flask==1.1.2
    # via flask-admin
    # via flask-cors
    # via flask-debugtoolbar
    # via flask-httpauth
    # via flask-limiter
    # via flask-login
    # via flask-migrate
    # via flask-profiler
    # via flask-sqlalchemy
    # via flask-wtf
    # via simplelogin
 flask-admin==1.5.8
    # via simplelogin
 flask-cors==3.0.10
    # via simplelogin
 flask-debugtoolbar==0.11.0
    # via flask-debugtoolbar-sqlalchemy
    # via simplelogin
 flask-debugtoolbar-sqlalchemy==0.2.0
    # via simplelogin
 flask-httpauth==4.8.0
    # via flask-profiler
 flask-limiter==1.4
    # via simplelogin
 flask-login==0.5.0
    # via simplelogin
 flask-migrate==2.5.3
    # via simplelogin
 flask-profiler==1.8.1
    # via simplelogin
 flask-sqlalchemy==2.5.1
    # via flask-migrate
 flask-wtf==0.14.3
    # via simplelogin
 frozenlist==1.5.0
    # via aiohttp
    # via aiosignal
 future==1.0.0
    # via webauthn
 gevent==24.11.1
    # via simplelogin
 google-api-core==2.24.0
    # via google-api-python-client
 google-api-python-client==1.12.11
    # via simplelogin
 google-auth==2.37.0
    # via google-api-core
    # via google-api-python-client
    # via google-auth-httplib2
 google-auth-httplib2==0.0.4
    # via google-api-python-client
    # via simplelogin
 googleapis-common-protos==1.66.0
    # via google-api-core
 greenlet==3.1.1
    # via gevent
 gunicorn==20.0.4
    # via simplelogin
 html-tag-names==0.1.2
    # via djlint
 html-void-elements==0.1.0
    # via djlint
 httplib2==0.22.0
    # via google-api-python-client
    # via google-auth-httplib2
 humanfriendly==10.0
    # via coloredlogs
 identify==2.6.5
    # via pre-commit
 idna==2.10
    # via email-validator
    # via flanker
    # via requests
    # via tldextract
    # via yarl
 importlib-metadata==4.13.0
    # via djlint
 iniconfig==2.0.0
    # via pytest
 ipython==7.31.1
    # via simplelogin
 isort==5.13.2
    # via pylint
 itsdangerous==1.1.0
    # via flask
    # via flask-debugtoolbar
    # via flask-wtf
    # via simplelogin
 jedi==0.19.2
    # via ipython
 jinja2==2.11.3
    # via flask
    # via yacron
 jmespath==1.0.1
    # via boto3
    # via botocore
 jwcrypto==0.9.1
    # via simplelogin
 lazy-object-proxy==1.10.0
    # via astroid
 limits==4.0.0
    # via flask-limiter
 loguru==0.7.3
    # via aiospamc
 mako==1.3.8
    # via alembic
 markupsafe==1.1.1
    # via jinja2
    # via mako
    # via simplelogin
    # via wtforms
 matplotlib-inline==0.1.7
    # via ipython
 mccabe==0.7.0
    # via pylint
 memory-profiler==0.57.0
    # via simplelogin
 multidict==6.1.0
    # via aiohttp
    # via yarl
 mypy-extensions==1.0.0
    # via black
 newrelic==8.8.1
    # via simplelogin
 newrelic-telemetry-sdk==0.5.1
    # via simplelogin
 nodeenv==1.9.1
    # via pre-commit
 oauthlib==3.2.2
    # via requests-oauthlib
 packaging==24.2
    # via limits
    # via pytest
 parso==0.8.4
    # via jedi
 pathspec==0.9.0
    # via black
    # via djlint
 pexpect==4.9.0
    # via ipython
 pgpy==0.5.4
    # via simplelogin
 phpserialize==1.3
    # via simplelogin
 pickleshare==0.7.5
    # via ipython
 platformdirs==4.3.6
    # via black
    # via pylint
    # via virtualenv
 pluggy==1.5.0
    # via pytest
 ply==3.11
    # via flanker
 pre-commit==2.17.0
 prompt-toolkit==3.0.48
    # via ipython
 propcache==0.2.1
    # via aiohttp
    # via yarl
 proto-plus==1.25.0
    # via google-api-core
 protobuf==5.29.3
    # via google-api-core
    # via googleapis-common-protos
    # via proto-plus
 psutil==6.1.1
    # via memory-profiler
 psycopg2-binary==2.9.10
    # via simplelogin
 ptyprocess==0.7.0
    # via pexpect
 py==1.11.0
    # via pytest
 pyasn1==0.6.1
    # via pgpy
    # via pyasn1-modules
    # via rsa
 pyasn1-modules==0.4.1
    # via google-auth
 pycparser==2.22
    # via cffi
 pycryptodome==3.9.9
    # via simplelogin
 pygments==2.19.1
    # via flask-debugtoolbar-sqlalchemy
    # via ipython
 pyjwt==2.10.1
    # via twilio
 pylint==2.14.5
 pyopenssl==19.1.0
    # via simplelogin
    # via webauthn
 pyotp==2.4.1
    # via simplelogin
 pyparsing==3.2.1
    # via httplib2
 pyre2==0.3.6
    # via simplelogin
 pyspf==2.0.14
    # via simplelogin
 pytest==7.0.1
    # via pytest-cov
 pytest-cov==3.0.0
 python-dateutil==2.9.0.post0
    # via arrow
    # via botocore
    # via strictyaml
 python-dotenv==0.14.0
    # via simplelogin
 python-gnupg==0.4.9
    # via simplelogin
 pytz==2024.2
    # via twilio
    # via yacron
 pyyaml==6.0.2
    # via djlint
    # via pre-commit
 redis==4.5.5
    # via simplelogin
 regex==2022.10.31
    # via djlint
    # via flanker
 requests==2.25.1
    # via coinbase-commerce
    # via facebook-sdk
    # via google-api-core
    # via requests-file
    # via requests-oauthlib
    # via simplelogin
    # via tldextract
    # via twilio
 requests-file==2.1.0
    # via tldextract
 requests-oauthlib==1.3.1
    # via simplelogin
 rsa==4.9
    # via google-auth
 ruamel-yaml==0.17.4
    # via yacron
 ruff==0.1.15
 s3transfer==0.10.4
    # via boto3
 sentry-sdk==2.20.0
    # via simplelogin
    # via yacron
 setuptools==75.8.0
    # via astroid
    # via gunicorn
    # via ipython
    # via zope-event
    # via zope-interface
 simplejson==3.19.3
    # via flask-profiler
 six==1.17.0
    # via coinbase-commerce
    # via flanker
    # via flask-cors
    # via flask-limiter
    # via google-api-python-client
    # via google-auth-httplib2
    # via jwcrypto
    # via pgpy
    # via pyopenssl
    # via python-dateutil
    # via sqlalchemy-utils
    # via webauthn
 sqlalchemy==1.3.24
    # via alembic
    # via flask-debugtoolbar-sqlalchemy
    # via flask-sqlalchemy
    # via simplelogin
    # via sqlalchemy-utils
 sqlalchemy-utils==0.36.8
    # via simplelogin
 sqlparse==0.5.3
    # via flask-debugtoolbar-sqlalchemy
 strictyaml==1.7.3
    # via yacron
 tld==0.13
    # via flanker
 tldextract==3.1.2
    # via simplelogin
 toml==0.10.2
    # via pre-commit
 tomli==2.2.1
    # via black
    # via coverage
    # via djlint
    # via pylint
    # via pytest
 tomlkit==0.13.2
    # via pylint
 tqdm==4.67.1
    # via djlint
 traitlets==5.14.3
    # via ipython
    # via matplotlib-inline
 twilio==7.3.2
    # via simplelogin
 typer==0.9.4
    # via aiospamc
 typing-extensions==4.12.2
    # via aiospamc
    # via alembic
    # via limits
    # via multidict
    # via typer
 unidecode==1.1.2
    # via simplelogin
 uritemplate==3.0.1
    # via google-api-python-client
 urllib3==1.26.20
    # via botocore
    # via newrelic-telemetry-sdk
    # via requests
    # via sentry-sdk
 virtualenv==20.29.0
    # via pre-commit
 watchtower==0.8.0
    # via simplelogin
 wcwidth==0.2.13
    # via prompt-toolkit
 webauthn==0.4.7
    # via simplelogin
 webob==1.8.9
    # via flanker
 werkzeug==1.0.1
    # via flask
    # via flask-debugtoolbar
    # via simplelogin
 wrapt==1.17.2
    # via astroid
    # via deprecated
 wtforms==2.3.3
    # via flask-admin
    # via flask-wtf
    # via simplelogin
 yacron==0.19.0
    # via simplelogin
 yarl==1.18.3
    # via aiohttp
 zipp==3.21.0
    # via importlib-metadata
 zope-event==5.0
    # via gevent
 zope-interface==7.2
    # via gevent
--- a/app/requirements.lock
+++ b/app/requirements.lock
@ -0,0 +1,392 @@
 # generated by rye
 # use `rye lock` or `rye sync` to update this lockfile
 #
 # last locked with the following flags:
 #   pre: false
 #   features: []
 #   all-features: false
 #   with-sources: false
 #   generate-hashes: false
 #   universal: false
 -e file:.
 aiohttp==3.8.4
    # via google-auth
    # via yacron
 aiosignal==1.2.0
    # via aiohttp
 aiosmtpd==1.4.2
    # via simplelogin
 aiosmtplib==1.1.4
    # via yacron
 aiospamc==0.10.0
    # via simplelogin
 alembic==1.4.3
    # via flask-migrate
 appnope==0.1.0
    # via ipython
 arrow==0.16.0
    # via simplelogin
 async-timeout==4.0.2
    # via aiohttp
    # via redis
 atpublic==2.0
    # via aiosmtpd
 attrs==20.2.0
    # via aiohttp
    # via aiosmtpd
    # via flanker
 backcall==0.2.0
    # via ipython
 bcrypt==3.2.0
    # via simplelogin
 blinker==1.4
    # via flask-debugtoolbar
    # via simplelogin
 boto3==1.35.99
    # via simplelogin
    # via watchtower
 botocore==1.35.99
    # via boto3
    # via s3transfer
 cachetools==4.1.1
    # via google-auth
 cbor2==5.2.0
    # via webauthn
 certifi==2019.11.28
    # via aiospamc
    # via requests
    # via sentry-sdk
 cffi==1.14.4
    # via bcrypt
    # via cryptography
 chardet==3.0.4
    # via flanker
    # via requests
 charset-normalizer==3.4.1
    # via aiohttp
 click==8.0.3
    # via flask
    # via typer
 coinbase-commerce==1.0.1
    # via simplelogin
 coloredlogs==14.0
    # via simplelogin
 crontab==0.22.8
    # via yacron
 cryptography==37.0.1
    # via flanker
    # via jwcrypto
    # via pgpy
    # via pyopenssl
    # via simplelogin
    # via webauthn
 decorator==4.4.2
    # via ipython
 deprecated==1.2.13
    # via simplelogin
 dkimpy==1.0.5
    # via simplelogin
 dnspython==2.6.1
    # via dkimpy
    # via email-validator
    # via simplelogin
 email-validator==1.1.3
    # via simplelogin
 facebook-sdk==3.1.0
    # via simplelogin
 filelock==3.15.4
    # via tldextract
 flanker==0.9.11
    # via simplelogin
 flask==1.1.2
    # via flask-admin
    # via flask-cors
    # via flask-debugtoolbar
    # via flask-httpauth
    # via flask-limiter
    # via flask-login
    # via flask-migrate
    # via flask-profiler
    # via flask-sqlalchemy
    # via flask-wtf
    # via simplelogin
 flask-admin==1.5.7
    # via simplelogin
 flask-cors==3.0.9
    # via simplelogin
 flask-debugtoolbar==0.11.0
    # via flask-debugtoolbar-sqlalchemy
    # via simplelogin
 flask-debugtoolbar-sqlalchemy==0.2.0
    # via simplelogin
 flask-httpauth==4.1.0
    # via flask-profiler
 flask-limiter==1.4
    # via simplelogin
 flask-login==0.5.0
    # via simplelogin
 flask-migrate==2.5.3
    # via simplelogin
 flask-profiler==1.8.1
    # via simplelogin
 flask-sqlalchemy==2.5.1
    # via flask-migrate
 flask-wtf==0.14.3
    # via simplelogin
 frozenlist==1.3.3
    # via aiohttp
    # via aiosignal
 future==0.18.3
    # via webauthn
 gevent==24.11.1
    # via simplelogin
 google-api-core==1.22.2
    # via google-api-python-client
 google-api-python-client==1.12.3
    # via simplelogin
 google-auth==1.22.0
    # via google-api-core
    # via google-api-python-client
    # via google-auth-httplib2
 google-auth-httplib2==0.0.4
    # via google-api-python-client
    # via simplelogin
 googleapis-common-protos==1.52.0
    # via google-api-core
 greenlet==3.1.1
    # via gevent
 gunicorn==20.0.4
    # via simplelogin
 httplib2==0.22.0
    # via google-api-python-client
    # via google-auth-httplib2
 humanfriendly==8.2
    # via coloredlogs
 idna==2.10
    # via email-validator
    # via flanker
    # via requests
    # via tldextract
    # via yarl
 ipython==7.31.1
    # via simplelogin
 ipython-genutils==0.2.0
    # via traitlets
 itsdangerous==1.1.0
    # via flask
    # via flask-debugtoolbar
    # via flask-wtf
    # via simplelogin
 jedi==0.17.2
    # via ipython
 jinja2==2.11.3
    # via flask
    # via yacron
 jmespath==0.10.0
    # via boto3
    # via botocore
 jwcrypto==0.8
    # via simplelogin
 limits==1.5.1
    # via flask-limiter
 loguru==0.7.2
    # via aiospamc
 mako==1.2.4
    # via alembic
 markupsafe==1.1.1
    # via jinja2
    # via mako
    # via simplelogin
    # via wtforms
 matplotlib-inline==0.1.3
    # via ipython
 memory-profiler==0.57.0
    # via simplelogin
 multidict==4.7.6
    # via aiohttp
    # via yarl
 newrelic==8.8.0
    # via simplelogin
 newrelic-telemetry-sdk==0.5.0
    # via simplelogin
 oauthlib==3.1.0
    # via requests-oauthlib
 parso==0.7.1
    # via jedi
 pexpect==4.8.0
    # via ipython
 pgpy==0.5.4
    # via simplelogin
 phpserialize==1.3
    # via simplelogin
 pickleshare==0.7.5
    # via ipython
 ply==3.11
    # via flanker
 prompt-toolkit==3.0.7
    # via ipython
 protobuf==5.27.1
    # via google-api-core
    # via googleapis-common-protos
 psutil==5.7.2
    # via memory-profiler
 psycopg2-binary==2.9.3
    # via simplelogin
 ptyprocess==0.6.0
    # via pexpect
 pyasn1==0.4.8
    # via pgpy
    # via pyasn1-modules
    # via rsa
 pyasn1-modules==0.2.8
    # via google-auth
 pycparser==2.20
    # via cffi
 pycryptodome==3.9.8
    # via simplelogin
 pygments==2.7.4
    # via flask-debugtoolbar-sqlalchemy
    # via ipython
 pyjwt==2.4.0
    # via twilio
 pyopenssl==19.1.0
    # via simplelogin
    # via webauthn
 pyotp==2.4.0
    # via simplelogin
 pyparsing==2.4.7
    # via httplib2
 pyre2==0.3.6
    # via simplelogin
 pyspf==2.0.14
    # via simplelogin
 python-dateutil==2.8.1
    # via alembic
    # via arrow
    # via botocore
    # via strictyaml
 python-dotenv==0.14.0
    # via simplelogin
 python-editor==1.0.4
    # via alembic
 python-gnupg==0.4.6
    # via simplelogin
 pytz==2020.1
    # via google-api-core
    # via twilio
    # via yacron
 redis==4.5.5
    # via simplelogin
 regex==2023.12.25
    # via flanker
 requests==2.25.1
    # via coinbase-commerce
    # via facebook-sdk
    # via google-api-core
    # via requests-file
    # via requests-oauthlib
    # via simplelogin
    # via tldextract
    # via twilio
 requests-file==1.5.1
    # via tldextract
 requests-oauthlib==1.3.0
    # via simplelogin
 rsa==4.6
    # via google-auth
 ruamel-yaml==0.17.4
    # via strictyaml
    # via yacron
 s3transfer==0.10.4
    # via boto3
 sentry-sdk==2.20.0
    # via simplelogin
    # via yacron
 setuptools==67.6.0
    # via google-api-core
    # via google-auth
    # via gunicorn
    # via ipython
    # via zope-event
    # via zope-interface
 simplejson==3.17.2
    # via flask-profiler
 six==1.15.0
    # via bcrypt
    # via coinbase-commerce
    # via flanker
    # via flask-cors
    # via flask-limiter
    # via google-api-core
    # via google-api-python-client
    # via google-auth
    # via google-auth-httplib2
    # via limits
    # via pgpy
    # via pyopenssl
    # via python-dateutil
    # via requests-file
    # via sqlalchemy-utils
    # via webauthn
 sqlalchemy==1.3.24
    # via alembic
    # via flask-debugtoolbar-sqlalchemy
    # via flask-sqlalchemy
    # via simplelogin
    # via sqlalchemy-utils
 sqlalchemy-utils==0.36.8
    # via simplelogin
 sqlparse==0.4.4
    # via flask-debugtoolbar-sqlalchemy
 strictyaml==1.1.0
    # via yacron
 tld==0.12.6
    # via flanker
 tldextract==3.1.2
    # via simplelogin
 traitlets==5.0.4
    # via ipython
    # via matplotlib-inline
 twilio==7.3.2
    # via simplelogin
 typer==0.9.0
    # via aiospamc
 typing-extensions==4.8.0
    # via aiospamc
    # via typer
 unidecode==1.1.1
    # via simplelogin
 uritemplate==3.0.1
    # via google-api-python-client
 urllib3==1.26.20
    # via botocore
    # via newrelic-telemetry-sdk
    # via requests
    # via sentry-sdk
 watchtower==0.8.0
    # via simplelogin
 wcwidth==0.2.5
    # via prompt-toolkit
 webauthn==0.4.7
    # via simplelogin
 webob==1.8.7
    # via flanker
 werkzeug==1.0.1
    # via flask
    # via flask-debugtoolbar
    # via simplelogin
 wrapt==1.15.0
    # via deprecated
 wtforms==2.3.3
    # via flask-admin
    # via flask-wtf
    # via simplelogin
 yacron==0.19.0
    # via simplelogin
 yarl==1.9.2
    # via aiohttp
 zope-event==5.0
    # via gevent
 zope-interface==7.2
    # via gevent
--- a/app/scripts/new-migration.sh
+++ b/app/scripts/new-migration.sh
@ -12,10 +12,10 @@ docker run -p 25432:5432 --name ${container_name} -e POSTGRES_PASSWORD=postgres
 sleep 3
 # upgrade the DB to the latest stage and
-env DB_URI=postgresql://postgres:postgres@127.0.0.1:25432/sl poetry run alembic upgrade head
+env DB_URI=postgresql://postgres:postgres@127.0.0.1:25432/sl rye run alembic upgrade head
 # generate the migration script.
-env DB_URI=postgresql://postgres:postgres@127.0.0.1:25432/sl poetry run alembic revision --autogenerate $@
+env DB_URI=postgresql://postgres:postgres@127.0.0.1:25432/sl rye run alembic revision --autogenerate $@
 # remove the db
 docker rm -f ${container_name}
--- a/app/scripts/reset_local_db.sh
+++ b/app/scripts/reset_local_db.sh
@ -3,5 +3,5 @@
 export DB_URI=postgresql://myuser:mypassword@localhost:15432/simplelogin
 echo 'drop schema public cascade; create schema public;' | psql  $DB_URI
-poetry run alembic upgrade head
+rye run alembic upgrade head
-poetry run flask dummy-data
+rye run flask dummy-data
--- a/app/scripts/reset_test_db.sh
+++ b/app/scripts/reset_test_db.sh
@ -3,4 +3,4 @@
 export DB_URI=postgresql://myuser:mypassword@localhost:15432/test
 echo 'drop schema public cascade; create schema public;' | psql  $DB_URI
-poetry run alembic upgrade head
+rye run alembic upgrade head
--- a/app/scripts/run-test.sh
+++ b/app/scripts/run-test.sh
@ -10,10 +10,10 @@ docker run -d --name sl-test-db -e POSTGRES_PASSWORD=test -e POSTGRES_USER=test
 sleep 3
 # migrate the DB to the latest version
-CONFIG=tests/test.env poetry run alembic upgrade head
+CONFIG=tests/test.env rye run alembic upgrade head
 # run test
-poetry run pytest -c pytest.ci.ini
+rye run pytest -c pytest.ci.ini
 # Delete the test DB
 docker rm -f sl-test-db
--- a/app/server.py
+++ b/app/server.py
@ -44,6 +44,7 @@ from app.admin_model import (
    MetricAdmin,
    InvalidMailboxDomainAdmin,
    EmailSearchAdmin,
    CustomDomainSearchAdmin,
 )
 from app.api.base import api_bp
 from app.auth.base import auth_bp
@ -443,6 +444,11 @@ def init_admin(app):
    admin.init_app(app, index_view=SLAdminIndexView())
    admin.add_view(EmailSearchAdmin(name="Email Search", endpoint="email_search"))
    admin.add_view(
        CustomDomainSearchAdmin(
            name="Custom domain search", endpoint="custom_domain_search"
        )
    )
    admin.add_view(UserAdmin(User, Session))
    admin.add_view(AliasAdmin(Alias, Session))
    admin.add_view(MailboxAdmin(Mailbox, Session))
--- a/app/templates/admin/custom_domain_search.html
+++ b/app/templates/admin/custom_domain_search.html
@ -0,0 +1,118 @@
 {% extends 'admin/master.html' %}
 {% macro show_user(user) -%}
    <h4>User <a href="/admin/email_search?email={{ user.email }}">{{ user.email }}</a> with ID {{ user.id }}.</h4>
    <table class="table">
        <thead>
        <tr>
            <th scope="col">User ID</th>
            <th scope="col">Email</th>
            <th scope="col">Verified</th>
            <th scope="col">Status</th>
            <th scope="col">Paid</th>
            <th scope="col">Premium</th>
        </tr>
        </thead>
        <tbody>
        <tr>
            <td>{{ user.id }}</td>
            <td>
                <a href="/admin/email_search?email={{ user.email }}">{{ user.email }}</a>
            </td>
            {% if user.activated %}
                <td class="text-success">Activated</td>
            {% else %}
                <td class="text-warning">Pending</td>
            {% endif %}
            {% if user.disabled %}
                <td class="text-danger">Disabled</td>
            {% else %}
                <td class="text-success">Enabled</td>
            {% endif %}
            <td>{{ "yes" if user.is_paid() else "No" }}</td>
            <td>{{ "yes" if user.is_premium() else "No" }}</td>
        </tr>
        </tbody>
    </table>
 {%- endmacro %}
 {% macro show_verification(title, expected, errors) -%}
    {% if not expected %}
        <h4 class="mb-3">{{ title }} <span class="text-success">Verified</span></h4>
    {% else %}
        <h4 class="mb-3">{{ title }}</h4>
        <p>Expected</p>
        <p>{{expected}}</p>
        <p>Current response</p>
        <ul class="list-group">
        {% for error in errors %}
            <li class="list-group-item">{{ error }}</li>
        {% endfor %}
        </ul>
    {% endif %}
 {%- endmacro %}
 {% macro show_domain(domain_with_data) -%}
    <h3>Domain {{ domain_with_data.domain.domain }}</h3>
    {% set domain = domain_with_data.domain %}
    <ul class="list-group">
        <li class="list-group-item">
            {{ show_verification("Ownership", domain_with_data.ownership_expected, domain_with_data.ownership_validation.errors) }}
        </li>
        <li class="list-group-item">
            {{ show_verification("MX", domain_with_data.mx_expected, domain_with_data.mx_validation.errors) }}
        </li>
        <li class="list-group-item">
            {{ show_verification("SPF", domain_with_data.spf_expected, domain_with_data.spf_validation.errors) }}
        </li>
        {% for dkim_domain in domain_with_data.dkim_expected %}
            <li class="list-group-item">
            {{ show_verification("DKIM {}.{}".format(dkim_domain, domain.domain), domain_with_data.dkim_expected[dkim_domain], [domain_with_data.dkim_validation.get(dkim_domain+"."+domain.domain,'')]) }}
            </li>
        {% endfor %}
    </ul>
 {%- endmacro %}
 {% block body %}
    <div class="border border-dark border-2 mt-1 mb-2 p-3">
        <form method="get">
            <div class="form-group">
                <label for="email">User or domain to search:</label>
                <input type="text"
                       class="form-control"
                       name="user"
                       value="{{ query or '' }}" />
            </div>
            <button type="submit" class="btn btn-primary">Submit</button>
        </form>
    </div>
    {% if data.no_match and query %}
        <div class="border border-dark border-2 mt-1 mb-2 p-3 alert alert-warning"
             role="alert">No user, alias or mailbox found for {{ query }}</div>
    {% endif %}
    {% if data.user %}
        <div class="border border-dark border-2 mt-1 mb-2 p-3">
            <h3 class="mb-3">Found User {{ data.user.email }}</h3>
            {{ show_user(data.user) }}
        </div>
    {% endif %}
    <div class="d-flex">
    {% for domain_with_data in data.domains  %}
        <div class="card m-2 border-dark" style="width: 30rem;">
        <div class="card-body">
            {{ show_domain(domain_with_data) }}
        </div>
        </div>
    {% endfor %}
    </div>
 {% endblock %}
--- a/app/templates/admin/email_search.html
+++ b/app/templates/admin/email_search.html
@ -1,279 +1,295 @@
 {% extends 'admin/master.html' %}
 {% macro show_user(user) -%}
-    <h4>User {{ user.email }} with ID {{ user.id }}.</h4>
+  <h4>User {{ user.email }} with ID {{ user.id }}.</h4>
-    {% set pu = helper.partner_user(user) %}
+  {% set pu = helper.partner_user(user) %}
-    <table class="table">
+  <table class="table">
-        <thead>
+    <thead>
-        <tr>
+      <tr>
-            <th scope="col">User ID</th>
+        <th scope="col">User ID</th>
-            <th scope="col">Email</th>
+        <th scope="col">Email</th>
-            <th scope="col">Status</th>
+        <th scope="col">Verified</th>
-            <th scope="col">Paid</th>
+        <th scope="col">Status</th>
-            <th>Subscription</th>
+        <th scope="col">Paid</th>
-            <th>Created At</th>
+        <th scope="col">Premium</th>
-            <th>Updated At</th>
+        <th>Subscription</th>
-            <th>Connected with Proton account</th>
+        <th>Created At</th>
-        </tr>
+        <th>Updated At</th>
-        </thead>
+        <th>Connected with Proton account</th>
-        <tbody>
+      </tr>
-        <tr>
+    </thead>
-            <td>{{ user.id }}</td>
+    <tbody>
-            <td><a href="?email={{ user.email }}">{{ user.email }}</a></td>
+      <tr>
-            {% if user.disabled %}
+        <td>{{ user.id }}</td>
        <td>
          <a href="?email={{ user.email }}">{{ user.email }}</a>
        </td>
        {% if user.activated %}
-                <td class="text-danger">Disabled</td>
+          <td class="text-success">Activated</td>
-            {% else %}
+        {% else %}
-                <td class="text-success">Enabled</td>
+          <td class="text-warning">Pending</td>
-            {% endif %}
+        {% endif %}
-            <td>{{ "yes" if user.is_paid() else "No" }}</td>
+        {% if user.disabled %}
            <td>{{ user.get_active_subscription() }}</td>
            <td>{{ user.created_at }}</td>
            <td>{{ user.updated_at }}</td>
            {% if pu %}
-                <td><a href="?email={{ pu.partner_email }}">{{ pu.partner_email }}</a></td>
+          <td class="text-danger">Disabled</td>
-            {% else %}
+        {% else %}
-                <td>No</td>
+          <td class="text-success">Enabled</td>
-            {% endif %}
+        {% endif %}
-        </tr>
+        <td>{{ "yes" if user.is_paid() else "No" }}</td>
-        </tbody>
+        <td>{{ "yes" if user.is_premium() else "No" }}</td>
-    </table>
+        <td>{{ user.get_active_subscription() }}</td>
        <td>{{ user.created_at }}</td>
        <td>{{ user.updated_at }}</td>
        {% if pu %}
          <td>
            <a href="?email={{ pu.partner_email }}">{{ pu.partner_email }}</a>
          </td>
        {% else %}
          <td>No</td>
        {% endif %}
      </tr>
    </tbody>
  </table>
 {%- endmacro %}
 {% macro list_mailboxes(message, mbox_count, mboxes) %}
-    <h4>
+  <h4>
-        {{ mbox_count }} {{ message }}.
+    {{ mbox_count }} {{ message }}.
-        {% if mbox_count>10 %}Showing only the last 10.{% endif %}
+    {% if mbox_count>10 %}Showing only the last 10.{% endif %}
-    </h4>
+  </h4>
-    <table class="table">
+  <table class="table">
-        <thead>
+    <thead>
      <tr>
        <th>Mailbox ID</th>
        <th>Email</th>
        <th>Verified</th>
        <th>Created At</th>
      </tr>
    </thead>
    <tbody>
      {% for mailbox in mboxes %}
        <tr>
-            <th>Mailbox ID</th>
+          <td>{{ mailbox.id }}</td>
-            <th>Email</th>
+          <td>
-            <th>Verified</th>
+            <a href="?email={{ mailbox.email }}">{{ mailbox.email }}</a>
-            <th>Created At</th>
+          </td>
          <td>{{ "Yes" if mailbox.verified else "No" }}</td>
          <td>{{ mailbox.created_at }}</td>
        </tr>
-        </thead>
+      {% endfor %}
-        <tbody>
+    </tbody>
-        {% for mailbox in mboxes %}
+  </table>
            <tr>
                <td>{{ mailbox.id }}</td>
                <td><a href="?email={{ mailbox.email }}">{{ mailbox.email }}</a></td>
                <td>{{ "Yes" if mailbox.verified else "No" }}</td>
                <td>
                    {{ mailbox.created_at }}
                </td>
            </tr>
        {% endfor %}
        </tbody>
    </table>
 {% endmacro %}
 {% macro list_alias(alias_count, aliases) %}
-    <h4>
+  <h4>
-        {{ alias_count }} Aliases found.
+    {{ alias_count }} Aliases found.
-        {% if alias_count>10 %}Showing only the last 10.{% endif %}
+    {% if alias_count>10 %}Showing only the last 10.{% endif %}
-    </h4>
+  </h4>
-    <table class="table">
+  <table class="table">
-        <thead>
+    <thead>
      <tr>
        <th>Alias ID</th>
        <th>Email</th>
        <th>Enabled</th>
        <th>Created At</th>
      </tr>
    </thead>
    <tbody>
      {% for alias in aliases %}
        <tr>
-            <th>
+          <td>{{ alias.id }}</td>
-                Alias ID
+          <td>
-            </th>
+            <a href="?email={{ alias.email }}">{{ alias.email }}</a>
-            <th>
+          </td>
-                Email
+          <td>{{ "Yes" if alias.enabled else "No" }}</td>
-            </th>
+          <td>{{ alias.created_at }}</td>
            <th>
                Enabled
            </th>
            <th>
                Created At
            </th>
        </tr>
-        </thead>
+      {% endfor %}
-        <tbody>
+    </tbody>
-        {% for alias in aliases %}
+  </table>
            <tr>
                <td>{{ alias.id }}</td>
                <td><a href="?email={{ alias.email }}">{{ alias.email }}</a></td>
                <td>{{ "Yes" if alias.enabled else "No" }}</td>
                <td>{{ alias.created_at }}</td>
            </tr>
        {% endfor %}
        </tbody>
    </table>
 {% endmacro %}
 {% macro show_deleted_alias(deleted_alias) -%}
-    <h4>Deleted Alias {{ deleted_alias.email }} with ID {{ deleted_alias.id }}.</h4>
+  <h4>Deleted Alias {{ deleted_alias.email }} with ID {{ deleted_alias.id }}.</h4>
-    <table class="table">
+  <table class="table">
-        <thead>
+    <thead>
-        <tr>
+      <tr>
-            <th scope="col">Deleted Alias ID</th>
+        <th scope="col">Deleted Alias ID</th>
-            <th scope="col">Email</th>
+        <th scope="col">Email</th>
-            <th scope="col">Deleted At</th>
+        <th scope="col">Deleted At</th>
-            <th scope="col">Reason</th>
+        <th scope="col">Reason</th>
-        </tr>
+      </tr>
-        </thead>
+    </thead>
-        <tbody>
+    <tbody>
-        <tr>
+      <tr>
-            <td>{{ deleted_alias.id }}</td>
+        <td>{{ deleted_alias.id }}</td>
-            <td>{{ deleted_alias.email }}</td>
+        <td>{{ deleted_alias.email }}</td>
-            <td>{{ deleted_alias.created_at }}</td>
+        <td>{{ deleted_alias.created_at }}</td>
-            <td>{{ deleted_alias.reason }}</td>
+        <td>{{ deleted_alias.reason }}</td>
-        </tr>
+      </tr>
-        </tbody>
+    </tbody>
-    </table>
+  </table>
 {%- endmacro %}
 {% macro show_domain_deleted_alias(dom_deleted_alias) -%}
-    <h4>
+  <h4>
-        Domain Deleted Alias {{ dom_deleted_alias.email }} with ID {{ dom_deleted_alias.id }} for
+    Domain Deleted Alias {{ dom_deleted_alias.email }} with ID {{ dom_deleted_alias.id }} for
-        domain {{ dom_deleted_alias.domain.domain }}
+    domain {{ dom_deleted_alias.domain.domain }}
-    </h4>
+  </h4>
-    <table class="table">
+  <table class="table">
-        <thead>
+    <thead>
-        <tr>
+      <tr>
-            <th scope="col">Deleted Alias ID</th>
+        <th scope="col">Deleted Alias ID</th>
-            <th scope="col">Email</th>
+        <th scope="col">Email</th>
-            <th scope="col">Domain</th>
+        <th scope="col">Domain</th>
-            <th scope="col">Domain ID</th>
+        <th scope="col">Domain ID</th>
-            <th scope="col">Domain owner user ID</th>
+        <th scope="col">Domain owner user ID</th>
-            <th scope="col">Domain owner user email</th>
+        <th scope="col">Domain owner user email</th>
-            <th scope="col">Deleted At</th>
+        <th scope="col">Deleted At</th>
-        </tr>
+      </tr>
-        </thead>
+    </thead>
-        <tbody>
+    <tbody>
-        <tr>
+      <tr>
-            <td>{{ dom_deleted_alias.id }}</td>
+        <td>{{ dom_deleted_alias.id }}</td>
-            <td>{{ dom_deleted_alias.email }}</td>
+        <td>{{ dom_deleted_alias.email }}</td>
-            <td>{{ dom_deleted_alias.domain.domain }}</td>
+        <td>{{ dom_deleted_alias.domain.domain }}</td>
-            <td>{{ dom_deleted_alias.domain.id }}</td>
+        <td>{{ dom_deleted_alias.domain.id }}</td>
-            <td>{{ dom_deleted_alias.domain.user_id }}</td>
+        <td>{{ dom_deleted_alias.domain.user_id }}</td>
-            <td>{{ dom_deleted_alias.created_at }}</td>
+        <td>{{ dom_deleted_alias.created_at }}</td>
-        </tr>
+      </tr>
-        </tbody>
+    </tbody>
-    </table>
+  </table>
-    {{ show_user(data.domain_deleted_alias.domain.user) }}
+  {{ show_user(data.domain_deleted_alias.domain.user) }}
 {%- endmacro %}
 {% macro list_alias_audit_log(alias_audit_log) %}
-    <h4>Alias Audit Log</h4>
+  <h4>Alias Audit Log</h4>
-    <table class="table">
+  <table class="table">
-        <thead>
+    <thead>
      <tr>
        <th>User ID</th>
        <th>Alias ID</th>
        <th>Alias Email</th>
        <th>Action</th>
        <th>Message</th>
        <th>Time</th>
      </tr>
    </thead>
    <tbody>
      {% for entry in alias_audit_log %}
        <tr>
-            <th>User ID</th>
+          <td>{{ entry.user_id }}</td>
-            <th>Alias ID</th>
+          <td>{{ entry.alias_id }}</td>
-            <th>Alias Email</th>
+          <td>
-            <th>Action</th>
+            <a href="?email={{ entry.alias_email }}">{{ entry.alias_email }}</a>
-            <th>Message</th>
+          </td>
-            <th>Time</th>
+          <td>{{ entry.action }}</td>
          <td>{{ entry.message }}</td>
          <td>{{ entry.created_at }}</td>
        </tr>
-        </thead>
+      {% endfor %}
-        <tbody>
+    </tbody>
-        {% for entry in alias_audit_log %}
+  </table>
            <tr>
                <td>{{ entry.user_id }}</td>
                <td>{{ entry.alias_id }}</td>
                <td><a href="?email={{ entry.alias_email }}">{{ entry.alias_email }}</a></td>
                <td>{{ entry.action }}</td>
                <td>{{ entry.message }}</td>
                <td>{{ entry.created_at }}</td>
            </tr>
        {% endfor %}
        </tbody>
    </table>
 {% endmacro %}
 {% macro list_user_audit_log(user_audit_log) %}
-    <h4>User Audit Log</h4>
+  <h4>User Audit Log</h4>
-    <table class="table">
+  <table class="table">
-        <thead>
+    <thead>
      <tr>
        <th>User email</th>
        <th>Action</th>
        <th>Message</th>
        <th>Time</th>
      </tr>
    </thead>
    <tbody>
      {% for entry in user_audit_log %}
        <tr>
-            <th>User email</th>
+          <td>
-            <th>Action</th>
+            <a href="?email={{ entry.user_email }}">{{ entry.user_email }}</a>
-            <th>Message</th>
+          </td>
-            <th>Time</th>
+          <td>{{ entry.action }}</td>
          <td>{{ entry.message }}</td>
          <td>{{ entry.created_at }}</td>
        </tr>
-        </thead>
+      {% endfor %}
-        <tbody>
+    </tbody>
-        {% for entry in user_audit_log %}
+  </table>
            <tr>
                <td><a href="?email={{ entry.user_email }}">{{ entry.user_email }}</a></td>
                <td>{{ entry.action }}</td>
                <td>{{ entry.message }}</td>
                <td>{{ entry.created_at }}</td>
            </tr>
        {% endfor %}
        </tbody>
    </table>
 {% endmacro %}
 {% block body %}
  <div class="border border-dark border-2 mt-1 mb-2 p-3">
    <form method="get">
      <div class="form-group">
        <label for="email">Email to search:</label>
        <input type="text"
               class="form-control"
               name="email"
               value="{{ email or '' }}" />
      </div>
      <button type="submit" class="btn btn-primary">Submit</button>
    </form>
  </div>
  {% if data.no_match and email %}
    <div class="border border-dark border-2 mt-1 mb-2 p-3 alert alert-warning"
         role="alert">No user, alias or mailbox found for {{ email }}</div>
  {% endif %}
  {% if data.alias %}
    <div class="border border-dark border-2 mt-1 mb-2 p-3">
-        <form method="get">
+      <h3 class="mb-3">Found Alias {{ data.alias.email }}</h3>
-            <div class="form-group">
+      {{ list_alias(1,[data.alias]) }}
-                <label for="email">Email to search:</label>
+      {{ list_alias_audit_log(data.alias_audit_log) }}
-                <input type="text"
+      {{ list_mailboxes("Mailboxes for alias", helper.alias_mailbox_count(data.alias) , helper.alias_mailboxes(data.alias)) }}
-                       class="form-control"
+      {{ show_user(data.alias.user) }}
                       name="email"
                       value="{{ email or '' }}"/>
            </div>
            <button type="submit" class="btn btn-primary">Submit</button>
        </form>
    </div>
-    {% if data.no_match and email %}
+  {% endif %}
-        <div class="border border-dark border-2 mt-1 mb-2 p-3 alert alert-warning"
+  {% if data.user %}
             role="alert">No user, alias or mailbox found for {{ email }}</div>
    {% endif %}
-    {% if data.alias %}
+    <div class="border border-dark border-2 mt-1 mb-2 p-3">
-        <div class="border border-dark border-2 mt-1 mb-2 p-3">
+      <h3 class="mb-3">Found User {{ data.user.email }}</h3>
-            <h3 class="mb-3">Found Alias {{ data.alias.email }}</h3>
+      {{ show_user(data.user) }}
-            {{ list_alias(1,[data.alias]) }}
+      {{ list_mailboxes("Mailboxes for user", helper.mailbox_count(data.user) , helper.mailbox_list(data.user) ) }}
-            {{ list_alias_audit_log(data.alias_audit_log) }}
+      {{ list_alias(helper.alias_count(data.user) ,helper.alias_list(data.user)) }}
-            {{ list_mailboxes("Mailboxes for alias", helper.alias_mailbox_count(data.alias), helper.alias_mailboxes(data.alias)) }}
+    </div>
-            {{ show_user(data.alias.user) }}
+  {% endif %}
-        </div>
+  {% if data.user_audit_log %}
    {% endif %}
-    {% if data.user %}
+    <div class="border border-dark border-2 mt-1 mb-2 p-3">
-        <div class="border border-dark border-2 mt-1 mb-2 p-3">
+      <h3 class="mb-3">Audit log entries for user {{ data.query }}</h3>
-            <h3 class="mb-3">Found User {{ data.user.email }}</h3>
+      {{ list_user_audit_log(data.user_audit_log) }}
-            {{ show_user(data.user) }}
+    </div>
-            {{ list_mailboxes("Mailboxes for user", helper.mailbox_count(data.user) , helper.mailbox_list(data.user) ) }}
+  {% endif %}
-            {{ list_alias(helper.alias_count(data.user) ,helper.alias_list(data.user)) }}
+  {% if data.mailbox_count > 10 %}
        </div>
    {% endif %}
    {% if data.user_audit_log %}
        <div class="border border-dark border-2 mt-1 mb-2 p-3">
            <h3 class="mb-3">Audit log entries for user {{ data.query }}</h3>
            {{ list_user_audit_log(data.user_audit_log) }}
        </div>
    {% endif %}
    {% if data.mailbox_count > 10 %}
        <h3>Found more than 10 mailboxes for {{ email }}. Showing the last 10</h3>
    {% elif data.mailbox_count > 0 %}
        <h3>Found {{ data.mailbox_count }} mailbox(es) for {{ email }}</h3>
    {% endif %}
    {% for mailbox in data.mailbox %}
-        <div class="border border-dark mt-1 mb-2 p-3">
+    <h3>Found more than 10 mailboxes for {{ email }}. Showing the last 10</h3>
-            <h3 class="mb-3">Found Mailbox {{ mailbox.email }}</h3>
+  {% elif data.mailbox_count > 0 %}
-            {{ list_mailboxes("Mailbox found", 1, [mailbox]) }}
+    <h3>Found {{ data.mailbox_count }} mailbox(es) for {{ email }}</h3>
-            {{ show_user(mailbox.user) }}
+  {% endif %}
-        </div>
+  {% for mailbox in data.mailbox %}
    {% endfor %}
    {% if data.deleted_alias %}
-        <div class="border border-dark mt-1 mb-2 p-3">
+    <div class="border border-dark mt-1 mb-2 p-3">
-            <h3 class="mb-3">Found DeletedAlias {{ data.deleted_alias.email }}</h3>
+      <h3 class="mb-3">Found Mailbox {{ mailbox.email }}</h3>
-            {{ show_deleted_alias(data.deleted_alias) }}
+      {{ list_mailboxes("Mailbox found", 1, [mailbox]) }}
-            {{ list_alias_audit_log(data.deleted_alias_audit_log) }}
+      {{ show_user(mailbox.user) }}
-        </div>
+    </div>
-    {% endif %}
+  {% endfor %}
-    {% if data.domain_deleted_alias %}
+  {% if data.deleted_alias %}
-        <div class="border border-dark mt-1 mb-2 p-3">
+    <div class="border border-dark mt-1 mb-2 p-3">
-            <h3 class="mb-3">Found DomainDeletedAlias {{ data.domain_deleted_alias.email }}</h3>
+      <h3 class="mb-3">Found DeletedAlias {{ data.deleted_alias.email }}</h3>
-            {{ show_domain_deleted_alias(data.domain_deleted_alias) }}
+      {{ show_deleted_alias(data.deleted_alias) }}
-            {{ list_alias_audit_log(data.domain_deleted_alias_audit_log) }}
+      {{ list_alias_audit_log(data.deleted_alias_audit_log) }}
-        </div>
+    </div>
-    {% endif %}
+  {% endif %}
  {% if data.domain_deleted_alias %}
    <div class="border border-dark mt-1 mb-2 p-3">
      <h3 class="mb-3">Found DomainDeletedAlias {{ data.domain_deleted_alias.email }}</h3>
      {{ show_domain_deleted_alias(data.domain_deleted_alias) }}
      {{ list_alias_audit_log(data.domain_deleted_alias_audit_log) }}
    </div>
  {% endif %}
 {% endblock %}
--- a/app/templates/dashboard/billing.html
+++ b/app/templates/dashboard/billing.html
@ -43,7 +43,7 @@
          You can change the plan at any moment.
          <br />
          Please note that the new billing cycle starts instantly
-          i.e. you will be charged <b>immediately</b> the annual fee ($30) when switching from monthly plan or vice-versa
+          i.e. you will be charged <b>immediately</b> the annual fee ($36) when switching from monthly plan or vice-versa
          <b>without pro rata computation </b>.
          <br />
          To change the plan you can also cancel the current one and subscribe a new one <b>by the end</b> of this plan.
--- a/app/templates/dashboard/custom_domain.html
+++ b/app/templates/dashboard/custom_domain.html
@ -94,4 +94,3 @@
    </div>
  </div>
 {% endblock %}
--- a/app/templates/dashboard/domain_detail/dns.html
+++ b/app/templates/dashboard/domain_detail/dns.html
@ -91,7 +91,6 @@
          <br />
          Some domain registrars (Namecheap, CloudFlare, etc) might also use <em>@</em> for the root domain.
        </div>
        {% for record in expected_mx_records %}
          <div class="mb-3 p-3 dns-record">
@ -108,7 +107,6 @@
     data-clipboard-text="{{ record.domain }}">{{ record.domain }}</em>
          </div>
        {% endfor %}
        <form method="post" action="#mx-form">
          {{ csrf_form.csrf_token }}
          <input type="hidden" name="form-name" value="check-mx">
--- a/app/templates/dashboard/enter_sudo.html
+++ b/app/templates/dashboard/enter_sudo.html
@ -22,7 +22,8 @@
          <p>Alternatively you can use your Proton credentials to ensure it's you.</p>
        </div>
        <a class="btn btn-primary btn-block mt-2 proton-button"
-           href="{{ url_for('auth.proton_login', next=next) }}" style="max-width: 400px">
+           href="{{ url_for('auth.proton_login', next=next) }}"
           style="max-width: 400px">
          <img class="mr-2" src="/static/images/proton.svg" />
          Authenticate with Proton
        </a>
@ -38,4 +39,4 @@
        {% endif %}
      </div>
    </div>
-  {% endblock %}
+  {% endblock %}
--- a/app/templates/dashboard/extend_subscription.html
+++ b/app/templates/dashboard/extend_subscription.html
@ -11,7 +11,7 @@
      <div>
        <a class="buy-with-crypto"
           data-custom="{{ current_user.id }}"
-           href="{{ coinbase_url }}">Extend for 1 year - $30</a>
+           href="{{ coinbase_url }}">Extend for 1 year - $36</a>
        <script src="https://commerce.coinbase.com/v1/checkout.js?version=201807"></script>
      </div>
      <div class="mt-2">
--- a/app/templates/dashboard/pricing.html
+++ b/app/templates/dashboard/pricing.html
@ -57,24 +57,19 @@
 {% endblock %}
 {% block default_content %}
-  {% if NOW.timestamp < 1701475201 %}
+  {% if NOW.timestamp < 1733184000 %}
-    <div class="alert alert-info">
+    <div class="alert alert-primary">
-      Black Friday Deal: 33% off on the yearly plan for the <b>first</b> year ($20 instead of $30).
+      Lifetime deal for SimpleLogin Premium and Proton Pass Plus for $199
      <a class="btn btn-primary"
         href="https://proton.me/pass/black-friday"
         target="_blank">Buy now</a>
      <br>
-      Please use this coupon code
+      Available until December 3, 2024.
      <em data-toggle="tooltip"
          title="Click to copy"
          class="clipboard"
          data-clipboard-text="BF2023">BF2023</em> during the checkout.
      <br>
      <img src="/static/images/coupon.png" class="m-2" style="max-width: 300px">
      <br>
      Available until December 1, 2023.
    </div>
  {% endif %}
  <div class="pb-8">
-    <div class="text-center mx-md-auto mb-8 mt-6">
+    <div class="text-center mx-md-auto mb-4 mt-4">
      <h1>Upgrade to unlock premium features</h1>
    </div>
    {% if manual_sub %}
@ -126,6 +121,11 @@
         aria-selected="true">Yearly<span class="badge badge-success position-absolute tab-yearly__badge"
      style="font-size: 12px">Save $18</span></a>
    </div>
    <div class="alert alert-info">
      <span class="badge badge-success">new</span> SimpleLogin Premium now includes Proton Pass premium features.
      <a href="https://simplelogin.io/blog/sl-premium-including-pass-plus/"
         target="_blank">Learn more ↗</a>
    </div>
    <div class="tab-content mb-8">
      <!-- monthly tab content -->
      <div class="tab-pane"
@ -218,12 +218,12 @@
              <div class="card card-md flex-grow-1">
                <div class="card-body">
                  <div class="text-center">
-                    <div class="h3">Proton plan</div>
+                    <div class="h3">Proton Unlimited</div>
                    <div class="h3 my-3">Starts at $12.99 / month</div>
                    <div class="text-center mt-4 mb-6">
                      <a class="btn btn-lg btn-outline-primary w-100"
                         role="button"
-                         href="https://account.proton.me/u/0/mail/upgrade"
+                         href="https://account.proton.me/u/0/pass/upgrade"
                         target="_blank">Upgrade your Proton account</a>
                    </div>
                  </div>
@ -306,7 +306,7 @@
              <div class="card-body">
                <div class="text-center">
                  <div class="h3">SimpleLogin Premium</div>
-                  <div class="h3 my-3">$30 / year</div>
+                  <div class="h3 my-3">$36 / year</div>
                  <div class="text-center mt-4 mb-6">
                    <button class="btn btn-primary btn-lg w-100"
                            onclick="upgradePaddle({{ PADDLE_YEARLY_PRODUCT_ID }})">Upgrade to Premium</button>
@ -357,12 +357,12 @@
              <div class="card card-md flex-grow-1">
                <div class="card-body">
                  <div class="text-center">
-                    <div class="h3">Proton plan</div>
+                    <div class="h3">Proton Unlimited</div>
                    <div class="h3 my-3">Starts at $119.88 / year</div>
                    <div class="text-center mt-4 mb-6">
                      <a class="btn btn-lg btn-outline-primary w-100"
                         role="button"
-                         href="https://account.proton.me/u/0/mail/upgrade"
+                         href="https://account.proton.me/u/0/pass/upgrade"
                         target="_blank">Upgrade your Proton account</a>
                    </div>
                  </div>
@ -471,7 +471,7 @@
                   rel="noopener noreferrer">
                  Upgrade to Premium - cryptocurrency
                  <br />
-                  $30 / year
+                  $36 / year
                  <i class="fe fe-external-link"></i>
                </a>
              </div>
--- a/app/templates/dashboard/setting.html
+++ b/app/templates/dashboard/setting.html
@ -79,7 +79,14 @@
              </a>
            </div>
          {% endif %}
-          {% if partner_sub %}<div>Premium subscription managed by {{ partner_name }}.</div>{% endif %}
+          {% if partner_sub %}
            {% if partner_sub.lifetime %}
              <div>Premium lifetime subscription managed by {{ partner_name }}.</div>
            {% else %}
              <div>Premium subscription managed by {{ partner_name }}.</div>
            {% endif %}
          {% endif %}
        {% elif current_user.in_trial() %}
          Your Premium trial expires {{ current_user.trial_end | dt }}.
        {% else %}
--- a/app/tests/api/test_alias.py
+++ b/app/tests/api/test_alias.py
@ -511,6 +511,19 @@ def test_create_contact_route_invalid_alias(flask_client):
    assert r.status_code == 403
 def test_create_contact_route_non_existing_alias(flask_client):
    user, api_key = get_new_user_and_api_key()
    Session.commit()
    r = flask_client.post(
        url_for("api.create_contact_route", alias_id=99999999),
        headers={"Authentication": api_key.code},
        json={"contact": "First Last <first@example.com>"},
    )
    assert r.status_code == 403
 def test_create_contact_route_free_users(flask_client):
    user, api_key = get_new_user_and_api_key()
@ -536,7 +549,7 @@ def test_create_contact_route_free_users(flask_client):
    assert r.status_code == 201
    # End trial and disallow for new free users. Config should allow it
-    user.flags = User.FLAG_DISABLE_CREATE_CONTACTS
+    user.flags = User.FLAG_FREE_DISABLE_CREATE_CONTACTS
    Session.commit()
    r = flask_client.post(
        url_for("api.create_contact_route", alias_id=alias.id),
--- a/app/tests/api/test_mailbox.py
+++ b/app/tests/api/test_mailbox.py
@ -5,7 +5,7 @@ from app.models import Mailbox
 from tests.utils import login
-def test_create_mailbox(flask_client):
+def test_create_mailbox_valid(flask_client):
    login(flask_client)
    r = flask_client.post(
@ -21,10 +21,34 @@ def test_create_mailbox(flask_client):
    assert r.json["default"] is False
    assert r.json["nb_alias"] == 0
-    # invalid email address
+
 def test_create_mailbox_invalid_email(flask_client):
    login(flask_client)
    r = flask_client.post(
        "/api/mailboxes",
-        json={"email": "gmail.com"},
+        json={"email": "gmail.com"},  # not an email address
    )
    assert r.status_code == 400
    assert r.json == {"error": "Invalid email"}
 def test_create_mailbox_empty_payload(flask_client):
    login(flask_client)
    r = flask_client.post(
        "/api/mailboxes",
        json={},
    )
    assert r.status_code == 400
    assert r.json == {"error": "Invalid email"}
 def test_create_mailbox_empty_email(flask_client):
    login(flask_client)
    r = flask_client.post(
        "/api/mailboxes",
        json={"email": ""},
    )
    assert r.status_code == 400
--- a/app/tests/jobs/test_delete_mailbox_job.py
+++ b/app/tests/jobs/test_delete_mailbox_job.py
@ -36,6 +36,24 @@ def test_delete_mailbox_transfer_mailbox_primary(flask_client):
    assert str(mails_sent[0].msg).find("alias have been transferred") > -1
@mail_sender.store_emails_test_decorator
 def test_delete_mailbox_no_email(flask_client):
    user = create_new_user()
    m1 = Mailbox.create(
        user_id=user.id, email=random_email(), verified=True, flush=True
    )
    job = Job.create(
        name=JOB_DELETE_MAILBOX,
        payload={"mailbox_id": m1.id, "transfer_mailbox_id": None, "send_mail": False},
        run_at=arrow.now(),
        commit=True,
    )
    Session.commit()
    delete_mailbox_job(job)
    mails_sent = mail_sender.get_stored_emails()
    assert len(mails_sent) == 0
@mail_sender.store_emails_test_decorator
 def test_delete_mailbox_transfer_mailbox_in_list(flask_client):
    user = create_new_user()
--- a/app/tests/jobs/test_send_event_to_webhook.py
+++ b/app/tests/jobs/test_send_event_to_webhook.py
@ -0,0 +1,40 @@
 import arrow
 from app import config
 from app.events.generated.event_pb2 import EventContent, AliasDeleted
 from app.jobs.send_event_job import SendEventToWebhookJob
 from app.models import PartnerUser
 from app.proton.utils import get_proton_partner
 from events.event_sink import ConsoleEventSink
 from tests.utils import create_new_user, random_token
 def test_serialize_and_deserialize_job():
    user = create_new_user()
    alias_id = 34
    alias_email = "a@b.c"
    event = EventContent(alias_deleted=AliasDeleted(id=alias_id, email=alias_email))
    run_at = arrow.now().shift(hours=10)
    db_job = SendEventToWebhookJob(user, event).store_job_in_db(run_at=run_at)
    assert db_job.run_at == run_at
    assert db_job.name == config.JOB_SEND_EVENT_TO_WEBHOOK
    job = SendEventToWebhookJob.create_from_job(db_job)
    assert job._user.id == user.id
    assert job._event.alias_deleted.id == alias_id
    assert job._event.alias_deleted.email == alias_email
 def test_send_event_to_webhook():
    user = create_new_user()
    PartnerUser.create(
        user_id=user.id,
        partner_id=get_proton_partner().id,
        external_user_id=random_token(10),
        flush=True,
    )
    alias_id = 34
    alias_email = "a@b.c"
    event = EventContent(alias_deleted=AliasDeleted(id=alias_id, email=alias_email))
    job = SendEventToWebhookJob(user, event)
    sink = ConsoleEventSink()
    assert job.run(sink)
--- a/app/tests/models/test_alias.py
+++ b/app/tests/models/test_alias.py
@ -1,5 +1,5 @@
 from app.db import Session
-from app.models import Alias, Mailbox, AliasMailbox, User
+from app.models import Alias, Mailbox, AliasMailbox, User, CustomDomain
 from tests.utils import create_new_user, random_email
@ -29,3 +29,23 @@ def test_alias_create_from_partner_flags_also_the_user():
        flush=True,
    )
    assert alias.user.flags & User.FLAG_CREATED_ALIAS_FROM_PARTNER > 0
 def test_alias_create_from_partner_domain_flags_the_alias():
    user = create_new_user()
    domain = CustomDomain.create(
        domain=random_email(),
        verified=True,
        user_id=user.id,
        partner_id=1,
    )
    Session.flush()
    email = random_email()
    alias = Alias.create(
        user_id=user.id,
        email=email,
        mailbox_id=user.default_mailbox_id,
        custom_domain_id=domain.id,
        flush=True,
    )
    assert alias.flags & Alias.FLAG_PARTNER_CREATED > 0
--- a/app/tests/proton/test_account_linking.py
+++ b/app/tests/proton/test_account_linking.py
@ -0,0 +1,100 @@
 import arrow
 from app.account_linking import (
    SLPlan,
    SLPlanType,
    set_plan_for_partner_user,
 )
 from app.db import Session
 from app.models import User, PartnerUser, PartnerSubscription
 from app.proton.utils import get_proton_partner
 from app.utils import random_string
 from tests.utils import random_email
 partner_user_id: int = 0
 def setup_module():
    global partner_user_id
    email = random_email()
    external_id = random_string()
    sl_user = User.create(email, commit=True)
    partner_user_id = PartnerUser.create(
        user_id=sl_user.id,
        partner_id=get_proton_partner().id,
        external_user_id=external_id,
        partner_email=email,
        commit=True,
    ).id
 def setup_function(func):
    Session.query(PartnerSubscription).delete()
 def test_free_plan_removes_sub():
    pu = PartnerUser.get(partner_user_id)
    sub_id = PartnerSubscription.create(
        partner_user_id=partner_user_id,
        end_at=arrow.utcnow(),
        lifetime=False,
        commit=True,
    ).id
    set_plan_for_partner_user(pu, plan=SLPlan(type=SLPlanType.Free, expiration=None))
    assert PartnerSubscription.get(sub_id) is None
 def test_premium_plan_updates_expiration():
    pu = PartnerUser.get(partner_user_id)
    sub_id = PartnerSubscription.create(
        partner_user_id=partner_user_id,
        end_at=arrow.utcnow(),
        lifetime=False,
        commit=True,
    ).id
    new_expiration = arrow.utcnow().shift(days=+10)
    set_plan_for_partner_user(
        pu, plan=SLPlan(type=SLPlanType.Premium, expiration=new_expiration)
    )
    assert PartnerSubscription.get(sub_id).end_at == new_expiration
 def test_premium_plan_creates_sub():
    pu = PartnerUser.get(partner_user_id)
    new_expiration = arrow.utcnow().shift(days=+10)
    set_plan_for_partner_user(
        pu, plan=SLPlan(type=SLPlanType.Premium, expiration=new_expiration)
    )
    assert (
        PartnerSubscription.get_by(partner_user_id=partner_user_id).end_at
        == new_expiration
    )
 def test_lifetime_creates_sub():
    pu = PartnerUser.get(partner_user_id)
    new_expiration = arrow.utcnow().shift(days=+10)
    set_plan_for_partner_user(
        pu, plan=SLPlan(type=SLPlanType.PremiumLifetime, expiration=new_expiration)
    )
    sub = PartnerSubscription.get_by(partner_user_id=partner_user_id)
    assert sub is not None
    assert sub.end_at is None
    assert sub.lifetime
 def test_lifetime_updates_sub():
    pu = PartnerUser.get(partner_user_id)
    sub_id = PartnerSubscription.create(
        partner_user_id=partner_user_id,
        end_at=arrow.utcnow(),
        lifetime=False,
        commit=True,
    ).id
    set_plan_for_partner_user(
        pu, plan=SLPlan(type=SLPlanType.PremiumLifetime, expiration=arrow.utcnow())
    )
    sub = PartnerSubscription.get(sub_id)
    assert sub is not None
    assert sub.end_at is None
    assert sub.lifetime
--- a/app/tests/proton/test_proton_callback_handler.py
+++ b/app/tests/proton/test_proton_callback_handler.py
@ -25,15 +25,17 @@ class MockProtonClient(ProtonClient):
        return self.user
-def check_initial_sync_job(user: User):
+def check_initial_sync_job(user: User, expected: bool):
    found = False
    for job in Job.yield_per_query(10).filter_by(
        name=config.JOB_SEND_ALIAS_CREATION_EVENTS,
        state=JobState.ready.value,
    ):
        if job.payload.get("user_id") == user.id:
            found = True
            Job.delete(job.id)
-            return
+            break
-    assert False
+    assert expected == found
 def test_proton_callback_handler_unexistant_sl_user():
@ -69,10 +71,9 @@ def test_proton_callback_handler_unexistant_sl_user():
    )
    assert partner_user is not None
    assert partner_user.external_user_id == external_id
    check_initial_sync_job(res.user)
-def test_proton_callback_handler_existant_sl_user():
+def test_proton_callback_handler_existing_sl_user():
    email = random_email()
    sl_user = User.create(email, commit=True)
@ -98,7 +99,43 @@ def test_proton_callback_handler_existant_sl_user():
    sa = PartnerUser.get_by(user_id=sl_user.id, partner_id=get_proton_partner().id)
    assert sa is not None
    assert sa.partner_email == user.email
-    check_initial_sync_job(res.user)
+    check_initial_sync_job(res.user, True)
 def test_proton_callback_handler_linked_sl_user():
    email = random_email()
    external_id = random_string()
    sl_user = User.create(email, commit=True)
    PartnerUser.create(
        user_id=sl_user.id,
        partner_id=get_proton_partner().id,
        external_user_id=external_id,
        partner_email=email,
        commit=True,
    )
    user = UserInformation(
        email=email,
        name=random_string(),
        id=external_id,
        plan=SLPlan(type=SLPlanType.Premium, expiration=Arrow.utcnow().shift(hours=2)),
    )
    handler = ProtonCallbackHandler(MockProtonClient(user=user))
    res = handler.handle_login(get_proton_partner())
    assert res.user is not None
    assert res.user.id == sl_user.id
    # Ensure the user is not marked as created from partner
    assert User.FLAG_CREATED_FROM_PARTNER != (
        res.user.flags & User.FLAG_CREATED_FROM_PARTNER
    )
    assert res.user.notification is True
    assert res.user.trial_end is not None
    sa = PartnerUser.get_by(user_id=sl_user.id, partner_id=get_proton_partner().id)
    assert sa is not None
    assert sa.partner_email == user.email
    check_initial_sync_job(res.user, False)
 def test_proton_callback_handler_none_user_login():
--- a/app/tests/test_account_linking.py
+++ b/app/tests/test_account_linking.py
@ -144,6 +144,21 @@ def test_login_case_from_web():
    assert audit_logs[0].action == UserAuditLogAction.LinkAccount.value
 def test_new_user_strategy_create_missing_link():
    email = random_email()
    user = User.create(email, commit=True)
    nus = NewUserStrategy(
        link_request=random_link_request(
            email=user.email, external_user_id=random_string(), from_partner=False
        ),
        user=None,
        partner=get_proton_partner(),
    )
    result = nus.create_missing_link(user.email)
    assert result.user.id == user.id
    assert result.strategy == ExistingUnlinkedUserStrategy.__name__
 def test_get_strategy_existing_sl_user():
    email = random_email()
    user = User.create(email, commit=True)
--- a/app/tests/test_contact_utils.py
+++ b/app/tests/test_contact_utils.py
@ -135,7 +135,7 @@ def test_create_contact_free_user():
    assert result.contact is not None
    assert not result.contact.automatic_created
    # Free users with the flag should be able to still create automatic emails
-    user.flags = User.FLAG_DISABLE_CREATE_CONTACTS
+    user.flags = User.FLAG_FREE_DISABLE_CREATE_CONTACTS
    Session.flush()
    result = create_contact(random_email(), alias, automatic_created=True)
    assert result.error is None
--- a/app/tests/test_email_handler.py
+++ b/app/tests/test_email_handler.py
@ -2,6 +2,7 @@ import random
 from email.message import EmailMessage
 from typing import List
 import arrow
 import pytest
 from aiosmtpd.smtp import Envelope
@ -14,7 +15,6 @@ from app.email_utils import generate_verp_email
 from app.mail_sender import mail_sender
 from app.models import (
    Alias,
    AuthorizedAddress,
    IgnoredEmail,
    EmailLog,
    Notification,
@ -24,35 +24,12 @@ from app.models import (
 )
 from app.utils import random_string, canonicalize_email
 from email_handler import (
    get_mailbox_from_mail_from,
    should_ignore,
    is_automatic_out_of_office,
 )
 from tests.utils import load_eml_file, create_new_user, random_email
 def test_get_mailbox_from_mail_from(flask_client):
    user = create_new_user()
    alias = Alias.create_new_random(user)
    Session.commit()
    mb = get_mailbox_from_mail_from(user.email, alias)
    assert mb.email == user.email
    mb = get_mailbox_from_mail_from("unauthorized@gmail.com", alias)
    assert mb is None
    # authorized address
    AuthorizedAddress.create(
        user_id=user.id,
        mailbox_id=user.default_mailbox_id,
        email="unauthorized@gmail.com",
        commit=True,
    )
    mb = get_mailbox_from_mail_from("unauthorized@gmail.com", alias)
    assert mb.email == user.email
 def test_should_ignore(flask_client):
    assert should_ignore("mail_from", []) is False
@ -411,3 +388,15 @@ def test_preserve_headers(flask_client):
    msg = sent_mails[0].msg
    for header in headers_to_keep:
        assert msg[header] == header + "keep"
 def test_not_send_to_pending_to_delete_users(flask_client):
    user = create_new_user()
    alias = Alias.create_new_random(user)
    user.delete_on = arrow.utcnow()
    envelope = Envelope()
    envelope.mail_from = "somewhere@lo.cal"
    envelope.rcpt_tos = [alias.email]
    msg = EmailMessage()
    result = email_handler.handle(envelope, msg)
    assert result == status.E504
--- a/app/tests/test_email_utils.py
+++ b/app/tests/test_email_utils.py
@ -791,12 +791,21 @@ def test_parse_id_from_bounce():
    assert parse_id_from_bounce("anything+1234+@local") == 1234
-def test_get_queue_id():
+def test_get_queue_id_esmtps():
    for id_type in ["SMTP", "ESMTP", "ESMTPA", "ESMTPS"]:
        msg = email.message_from_string(
            f"Received: from mail-wr1-x434.google.com (mail-wr1-x434.google.com [IPv6:2a00:1450:4864:20::434])\r\n\t(using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits))\r\n\t(No client certificate requested)\r\n\tby mx1.simplelogin.co (Postfix) with {id_type} id 4FxQmw1DXdz2vK2\r\n\tfor <jglfdjgld@alias.com>; Fri,  4 Jun 2021 14:55:43 +0000 (UTC)"
        )
        assert get_queue_id(msg) == "4FxQmw1DXdz2vK2", f"Failed for {id_type}"
 def test_get_queue_id_postfix():
    msg = email.message_from_string(
-        "Received: from mail-wr1-x434.google.com (mail-wr1-x434.google.com [IPv6:2a00:1450:4864:20::434])\r\n\t(using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits))\r\n\t(No client certificate requested)\r\n\tby mx1.simplelogin.co (Postfix) with ESMTPS id 4FxQmw1DXdz2vK2\r\n\tfor <jglfdjgld@alias.com>; Fri,  4 Jun 2021 14:55:43 +0000 (UTC)"
+        "Received: by mailin001.somewhere.net (Postfix)\r\n\tid 4Xz5pb2nMszGrqpL; Wed, 27 Nov 2024 17:21:59 +0000 (UTC)'] by mailin001.somewhere.net (Postfix)"
    )
-    assert get_queue_id(msg) == "4FxQmw1DXdz2vK2"
+    assert get_queue_id(msg) == "4Xz5pb2nMszGrqpL"
 def test_get_queue_id_from_double_header():
--- a/app/tests/test_mailbox_utils.py
+++ b/app/tests/test_mailbox_utils.py
@ -6,9 +6,18 @@ import pytest
 from app import mailbox_utils, config
 from app.db import Session
 from app.mail_sender import mail_sender
-from app.mailbox_utils import MailboxEmailChangeError
+from app.mailbox_utils import MailboxEmailChangeError, get_mailbox_for_reply_phase
-from app.models import Mailbox, MailboxActivation, User, Job, UserAuditLog
+from app.models import (
    Mailbox,
    MailboxActivation,
    User,
    Job,
    UserAuditLog,
    Alias,
    AuthorizedAddress,
 )
 from app.user_audit_log_utils import UserAuditLogAction
 from app.utils import random_string, canonicalize_email
 from tests.utils import create_new_user, random_email
@ -50,6 +59,14 @@ def test_already_used():
        mailbox_utils.create_mailbox(user, user.email)
 def test_already_used_with_different_case():
    user.lifetime = True
    email = random_email()
    mailbox_utils.create_mailbox(user, email)
    with pytest.raises(mailbox_utils.MailboxError):
        mailbox_utils.create_mailbox(user, email.upper())
@mail_sender.store_emails_test_decorator
 def test_create_mailbox():
    email = random_email()
@ -286,6 +303,15 @@ def test_verify_other_users_mailbox():
        mailbox_utils.verify_mailbox_code(user, mailbox.id, "9999999")
 def test_verify_other_users_already_verified_mailbox():
    other = create_new_user()
    mailbox = Mailbox.create(
        user_id=other.id, email=random_email(), verified=True, commit=True
    )
    with pytest.raises(mailbox_utils.MailboxError):
        mailbox_utils.verify_mailbox_code(user, mailbox.id, "9999999")
@mail_sender.store_emails_test_decorator
 def test_verify_fail():
    output = mailbox_utils.create_mailbox(user, random_email())
@ -305,10 +331,13 @@ def test_verify_too_may():
    output = mailbox_utils.create_mailbox(user, random_email())
    output.activation.tries = mailbox_utils.MAX_ACTIVATION_TRIES
    Session.commit()
-    with pytest.raises(mailbox_utils.CannotVerifyError):
+    try:
        mailbox_utils.verify_mailbox_code(
            user, output.mailbox.id, output.activation.code
        )
        assert False
    except mailbox_utils.CannotVerifyError as e:
        assert e.deleted_activation_code
@mail_sender.store_emails_test_decorator
@ -406,3 +435,75 @@ def test_perform_mailbox_email_change_success():
        user_id=user.id, action=UserAuditLogAction.UpdateMailbox.value
    ).count()
    assert audit_log_entries == 1
 def test_get_mailbox_from_mail_from(flask_client):
    user = create_new_user()
    alias = Alias.create_new_random(user)
    Session.commit()
    mb = get_mailbox_for_reply_phase(user.email, "", alias)
    assert mb.email == user.email
    mb = get_mailbox_for_reply_phase("unauthorized@gmail.com", "", alias)
    assert mb is None
    # authorized address
    AuthorizedAddress.create(
        user_id=user.id,
        mailbox_id=user.default_mailbox_id,
        email="unauthorized@gmail.com",
        commit=True,
    )
    mb = get_mailbox_for_reply_phase("unauthorized@gmail.com", "", alias)
    assert mb.email == user.email
 def test_get_mailbox_from_mail_from_for_canonical_email(flask_client):
    prefix = random_string(10)
    email = f"{prefix}+subaddresxs@gmail.com"
    canonical_email = canonicalize_email(email)
    assert canonical_email != email
    user = create_new_user()
    mbox = Mailbox.create(
        email=canonical_email, user_id=user.id, verified=True, flush=True
    )
    alias = Alias.create(user_id=user.id, email=random_email(), mailbox_id=mbox.id)
    Session.flush()
    mb = get_mailbox_for_reply_phase(email, "", alias)
    assert mb.email == canonical_email
    mb = get_mailbox_for_reply_phase(canonical_email, "", alias)
    assert mb.email == canonical_email
 def test_get_mailbox_from_mail_from_coming_from_header_if_domain_is_aligned(
    flask_client,
 ):
    domain = f"{random_string(10)}.com"
    envelope_from = f"envelope_verp@{domain}"
    mail_from = f"mail_from@{domain}"
    user = create_new_user()
    mbox = Mailbox.create(email=mail_from, user_id=user.id, verified=True, flush=True)
    alias = Alias.create(user_id=user.id, email=random_email(), mailbox_id=mbox.id)
    Session.flush()
    mb = get_mailbox_for_reply_phase(envelope_from, mail_from, alias)
    assert mb.email == mail_from
 def test_get_mailbox_from_mail_from_coming_from_header_if_domain_is_not_aligned(
    flask_client,
 ):
    domain = f"{random_string(10)}.com"
    envelope_from = f"envelope_verp@{domain}"
    mail_from = f"mail_from@other_{domain}"
    user = create_new_user()
    mbox = Mailbox.create(email=mail_from, user_id=user.id, verified=True, flush=True)
    alias = Alias.create(user_id=user.id, email=random_email(), mailbox_id=mbox.id)
    Session.flush()
    mb = get_mailbox_for_reply_phase(envelope_from, mail_from, alias)
    assert mb is None
Author	SHA1	Message	Date
MrMeeb	664cd32f81	4.63.0 All checks were successful Build-Release-Image / Build-Image (linux/amd64) (push) Successful in 3m54s Details Build-Release-Image / Build-Image (linux/arm64) (push) Successful in 23m12s Details Build-Release-Image / Merge-Images (push) Successful in 46s Details Build-Release-Image / Create-Release (push) Successful in 9s Details Build-Release-Image / Notify (push) Successful in 3s Details	2025-01-20 12:00:06 +00:00
MrMeeb	33f0eb6c41	4.62.0 All checks were successful Build-Release-Image / Build-Image (linux/amd64) (push) Successful in 4m44s Details Build-Release-Image / Build-Image (linux/arm64) (push) Successful in 5m31s Details Build-Release-Image / Merge-Images (push) Successful in 46s Details Build-Release-Image / Create-Release (push) Successful in 14s Details Build-Release-Image / Notify (push) Successful in 2s Details	2024-12-20 12:00:08 +00:00
MrMeeb	9fd2fa9a78	4.61.1 All checks were successful Build-Release-Image / Build-Image (linux/arm64) (push) Successful in 3m41s Details Build-Release-Image / Build-Image (linux/amd64) (push) Successful in 4m6s Details Build-Release-Image / Merge-Images (push) Successful in 18s Details Build-Release-Image / Create-Release (push) Successful in 11s Details Build-Release-Image / Notify (push) Successful in 3s Details	2024-11-30 12:00:10 +00:00
MrMeeb	3c77f8af4b	4.61.0 All checks were successful Build-Release-Image / Build-Image (linux/arm64) (push) Successful in 4m9s Details Build-Release-Image / Build-Image (linux/amd64) (push) Successful in 4m14s Details Build-Release-Image / Merge-Images (push) Successful in 47s Details Build-Release-Image / Create-Release (push) Successful in 16s Details Build-Release-Image / Notify (push) Successful in 3s Details	2024-11-29 12:00:12 +00:00
MrMeeb	545eeda79b	4.59.5 All checks were successful Build-Release-Image / Build-Image (linux/amd64) (push) Successful in 3m2s Details Build-Release-Image / Build-Image (linux/arm64) (push) Successful in 3m43s Details Build-Release-Image / Merge-Images (push) Successful in 49s Details Build-Release-Image / Create-Release (push) Successful in 21s Details Build-Release-Image / Notify (push) Successful in 8s Details	2024-11-18 12:00:06 +00:00
MrMeeb	01dba12ed0	4.59.3 All checks were successful Build-Release-Image / Build-Image (linux/arm64) (push) Successful in 3m43s Details Build-Release-Image / Build-Image (linux/amd64) (push) Successful in 3m57s Details Build-Release-Image / Merge-Images (push) Successful in 53s Details Build-Release-Image / Create-Release (push) Successful in 8s Details Build-Release-Image / Notify (push) Successful in 3s Details	2024-11-16 12:00:07 +00:00
MrMeeb	c872d43c3d	4.59.2 All checks were successful Build-Release-Image / Build-Image (linux/arm64) (push) Successful in 4m7s Details Build-Release-Image / Build-Image (linux/amd64) (push) Successful in 4m46s Details Build-Release-Image / Merge-Images (push) Successful in 14s Details Build-Release-Image / Create-Release (push) Successful in 9s Details Build-Release-Image / Notify (push) Successful in 5s Details	2024-11-14 12:00:07 +00:00
MrMeeb	3e6867bc17	4.58 All checks were successful Build-Release-Image / Build-Image (linux/amd64) (push) Successful in 3m7s Details Build-Release-Image / Build-Image (linux/arm64) (push) Successful in 3m49s Details Build-Release-Image / Merge-Images (push) Successful in 15s Details Build-Release-Image / Create-Release (push) Successful in 8s Details Build-Release-Image / Notify (push) Successful in 3s Details	2024-11-07 12:00:06 +00:00
MrMeeb	a829074584	4.57.2 All checks were successful Build-Release-Image / Build-Image (linux/amd64) (push) Successful in 3m6s Details Build-Release-Image / Build-Image (linux/arm64) (push) Successful in 3m48s Details Build-Release-Image / Merge-Images (push) Successful in 20s Details Build-Release-Image / Create-Release (push) Successful in 11s Details Build-Release-Image / Notify (push) Successful in 2s Details	2024-11-06 12:00:08 +00:00
MrMeeb	25834e8f61	4.56.3 All checks were successful Build-Release-Image / Build-Image (linux/amd64) (push) Successful in 3m15s Details Build-Release-Image / Build-Image (linux/arm64) (push) Successful in 3m45s Details Build-Release-Image / Merge-Images (push) Successful in 15s Details Build-Release-Image / Create-Release (push) Successful in 10s Details Build-Release-Image / Notify (push) Successful in 21s Details	2024-11-05 12:00:07 +00:00
MrMeeb	a62b43b7c4	4.56.1 All checks were successful Build-Release-Image / Build-Image (linux/arm64) (push) Successful in 3m30s Details Build-Release-Image / Build-Image (linux/amd64) (push) Successful in 3m37s Details Build-Release-Image / Merge-Images (push) Successful in 22s Details Build-Release-Image / Create-Release (push) Successful in 24s Details Build-Release-Image / Notify (push) Successful in 3s Details	2024-10-25 12:00:05 +01:00
MrMeeb	44fda2d94e	4.56.0 All checks were successful Build-Release-Image / Build-Image (linux/amd64) (push) Successful in 3m24s Details Build-Release-Image / Build-Image (linux/arm64) (push) Successful in 3m34s Details Build-Release-Image / Merge-Images (push) Successful in 14s Details Build-Release-Image / Create-Release (push) Successful in 9s Details Build-Release-Image / Notify (push) Successful in 3s Details	2024-10-24 12:00:05 +01:00