4.64.1

4.64.0
4.63.0
2025-01-24 12:00:07 +00:00 · 2025-01-21 12:00:08 +00:00 · 2025-01-20 12:00:06 +00:00
34 changed files with 4304 additions and 450 deletions
--- a/app/.github/workflows/main.yml
+++ b/app/.github/workflows/main.yml
@ -1,6 +1,12 @@
-name: Test and lint
+name: SimpleLogin actions
-on: [push, pull_request]
+on:
  push:
    branches:
      - master
    tags:
      - v*
  pull_request:
 jobs:
  lint:
@ -9,35 +15,34 @@ jobs:
      - name: Check out repo
        uses: actions/checkout@v3
-      - name: Install poetry
+      - name: Install uv
-        run: pipx install poetry
+        uses: astral-sh/setup-uv@v5
      - uses: actions/setup-python@v4
        with:
-          python-version: '3.10'
+          # Install a specific version of uv.
-          cache: 'poetry'
+          version: "0.5.21"
          enable-cache: true
      - name: Install OS dependencies
        if: ${{ matrix.python-version }} == '3.10'
        run: |
          sudo apt update
          sudo apt install -y libre2-dev libpq-dev
      - name: "Set up Python"
        uses: actions/setup-python@v5
        with:
          python-version-file: "pyproject.toml"
      - name: Install dependencies
-        if: steps.cached-poetry-dependencies.outputs.cache-hit != 'true'
+        if: steps.setup-uv.outputs.cache-hit != 'true'
-        run: poetry install --no-interaction
+        run: uv sync --locked --all-extras
      - name: Check formatting & linting
        run: |
-          poetry run pre-commit run --all-files
+          uv run pre-commit run --all-files
  test:
    runs-on: ubuntu-latest
    strategy:
      max-parallel: 4
      matrix:
        python-version: ["3.10"]
    # service containers to run with `postgres-job`
    services:
@ -69,23 +74,26 @@ jobs:
      - name: Check out repo
        uses: actions/checkout@v3
-      - name: Install poetry
+      - name: Install uv
-        run: pipx install poetry
+        uses: astral-sh/setup-uv@v5
      - uses: actions/setup-python@v4
        with:
-          python-version: ${{ matrix.python-version }}
+          # Install a specific version of uv.
-          cache: 'poetry'
+          version: "0.5.21"
          enable-cache: true
      - name: Install OS dependencies
        if: ${{ matrix.python-version }} == '3.10'
        run: |
          sudo apt update
          sudo apt install -y libre2-dev libpq-dev
      - name: "Set up Python"
        uses: actions/setup-python@v5
        with:
          python-version-file: "pyproject.toml"
      - name: Install dependencies
-        if: steps.cached-poetry-dependencies.outputs.cache-hit != 'true'
+        if: steps.setup-uv.outputs.cache-hit != 'true'
-        run: poetry install --no-interaction
+        run: uv sync --locked --all-extras
      - name: Start Redis v6
@ -95,7 +103,7 @@ jobs:
      - name: Run db migration
        run: |
-          CONFIG=tests/test.env poetry run alembic upgrade head
+          CONFIG=tests/test.env uv run alembic upgrade head
      - name: Prepare version file
        run: |
@ -104,7 +112,7 @@ jobs:
      - name: Test with pytest
        run: |
-          poetry run pytest
+          uv run pytest
        env:
          GITHUB_ACTIONS_TEST: true
--- a/app/.python-version
+++ b/app/.python-version
@ -0,0 +1 @@
 3.10.16
--- a/app/CONTRIBUTING.md
+++ b/app/CONTRIBUTING.md
@ -20,7 +20,7 @@ SimpleLogin backend consists of 2 main components:
 ## Install dependencies
 The project requires:
- Python 3.10 and poetry to manage dependencies
+- Python 3.10 and uv to manage dependencies
 - Node v10 for front-end.
 - Postgres 13+
@ -28,7 +28,7 @@ First, install all dependencies by running the following command.
 Feel free to use `virtualenv` or similar tools to isolate development environment.
 ```bash
-poetry sync
+uv sync
 ```
 On Mac, sometimes you might need to install some other packages via `brew`:
@ -55,7 +55,7 @@ brew install -s re2 pybind11
 We use pre-commit to run all our linting and static analysis checks. Please run
 ```bash
-poetry run pre-commit install
+uv run pre-commit install
 ```
 To install it in your development environment.
@ -160,25 +160,25 @@ Here are the small sum-ups of the directory structures and their roles:
 The code is formatted using [ruff](https://github.com/astral-sh/ruff), to format the code, simply run
 ```
-poetry run ruff format .
+uv run ruff format .
 ```
 The code is also checked with `flake8`, make sure to run `flake8` before creating the pull request by
 ```bash
-poetry run flake8
+uv run flake8
 ```
 For HTML templates, we use `djlint`. Before creating a pull request, please run
 ```bash
-poetry run djlint --check templates
+uv run djlint --check templates
 ```
 If some files aren't properly formatted, you can format all files with
 ```bash
-poetry run djlint --reformat .
+uv run djlint --reformat .
 ```
 ## Test sending email
@ -239,15 +239,15 @@ brew install python3.10
 # make sure to update the PATH so python, pip point to Python3
 # for us it can be done by adding "export PATH=/opt/homebrew/opt/python@3.10/libexec/bin:$PATH" to .zprofile
-# Although pipx is the recommended way to install poetry,
+# Although pipx is the recommended way to install uv,
 # install pipx via brew will automatically install python 3.12
-# and poetry will then use python 3.12
+# and uv will then use python 3.12
-# so we recommend using poetry this way instead
+# so we recommend using uv this way instead
-curl -sSL https://install.python-poetry.org | python3 -
+curl -sSL https://install.python-uv.org | python3 -
-poetry install
+uv install
 # activate the virtualenv and you should be good to go!
 source .venv/bin/activate
-```
+```
--- a/app/Dockerfile
+++ b/app/Dockerfile
@ -4,43 +4,47 @@ WORKDIR /code
 COPY ./static/package*.json /code/static/
 RUN cd /code/static && npm ci
-# Main image
+FROM --platform=linux/amd64 ubuntu:22.04
-FROM python:3.10
+
 ARG UV_VERSION="0.5.21"
 ARG UV_HASH="e108c300eafae22ad8e6d94519605530f18f8762eb58d2b98a617edfb5d088fc"
 # Keeps Python from generating .pyc files in the container
-ENV PYTHONDONTWRITEBYTECODE 1
+ENV PYTHONDONTWRITEBYTECODE=1
 # Turns off buffering for easier container logging
-ENV PYTHONUNBUFFERED 1
+ENV PYTHONUNBUFFERED=1
 # Add poetry to PATH
 ENV PATH="${PATH}:/root/.local/bin"
 WORKDIR /code
-# Copy poetry files
+# Copy dependency files
-COPY poetry.lock pyproject.toml ./
+COPY pyproject.toml uv.lock .python-version ./
-# Install and setup poetry
+# Install deps
-RUN pip install -U pip \
+RUN apt-get update \
-    && apt-get update \
+    && apt-get install -y curl netcat-traditional gcc python3-dev gnupg git libre2-dev build-essential pkg-config cmake ninja-build bash clang \
-    && apt install -y curl netcat-traditional gcc python3-dev gnupg git libre2-dev cmake ninja-build\
+    && curl -sSL "https://github.com/astral-sh/uv/releases/download/${UV_VERSION}/uv-x86_64-unknown-linux-gnu.tar.gz" > uv.tar.gz \
-    && curl -sSL https://install.python-poetry.org | python3 - \
+    && echo "${UV_HASH}  uv.tar.gz" | sha256sum -c - \
-    # Remove curl and netcat from the image
+    && tar xf uv.tar.gz -C /tmp/ \
-    && apt-get purge -y curl netcat-traditional \
+    && mv /tmp/uv-x86_64-unknown-linux-gnu/uv /usr/bin/uv \
-    # Run poetry
+    && mv /tmp/uv-x86_64-unknown-linux-gnu/uvx /usr/bin/uvx \
-    && poetry config virtualenvs.create false \
+    && rm -rf /tmp/uv* \
-    && poetry install  --no-interaction --no-ansi --no-root \
+    && rm -f uv.tar.gz \
-    # Clear apt cache \
+    && uv python install `cat .python-version` \
-    && apt-get purge -y libre2-dev cmake ninja-build\
+    && uv sync --locked \
    && apt-get autoremove -y \
    && apt-get purge -y curl netcat-traditional build-essential pkg-config cmake ninja-build python3-dev clang\
    && apt-get autoremove -y \
    && apt-get clean \
    && rm -rf /var/lib/apt/lists/*
 # Copy code
 COPY . .
 # copy npm packages
 COPY --from=npm /code /code
-# copy everything else into /code
+ENV PATH="/code/.venv/bin:$PATH"
 COPY . .
 EXPOSE 7777
 #gunicorn wsgi:app -b 0.0.0.0:7777 -w 2 --timeout 15 --log-level DEBUG
--- a/app/app/account_linking.py
+++ b/app/app/account_linking.py
@ -3,7 +3,6 @@ from dataclasses import dataclass
 from enum import Enum
 from typing import Optional
 import arrow
 import sqlalchemy.exc
 from arrow import Arrow
 from newrelic import agent
@ -60,19 +59,21 @@ class LinkResult:
    strategy: str
-def send_user_plan_changed_event(partner_user: PartnerUser) -> Optional[int]:
+def send_user_plan_changed_event(
    partner_user: PartnerUser,
 ) -> UserPlanChanged:
    subscription_end = partner_user.user.get_active_subscription_end(
        include_partner_subscription=False
    )
    end_timestamp = None
    if partner_user.user.lifetime:
-        end_timestamp = arrow.get("2038-01-01").timestamp
+        event = UserPlanChanged(lifetime=True)
    elif subscription_end:
-        end_timestamp = subscription_end.timestamp
+        event = UserPlanChanged(plan_end_time=subscription_end.timestamp)
-    event = UserPlanChanged(plan_end_time=end_timestamp)
+    else:
        event = UserPlanChanged(plan_end_time=None)
    EventDispatcher.send_event(partner_user.user, EventContent(user_plan_change=event))
    Session.flush()
-    return end_timestamp
+    return event
 def set_plan_for_partner_user(partner_user: PartnerUser, plan: SLPlan):
@ -194,6 +195,7 @@ class NewUserStrategy(ClientMergeStrategy):
                strategy=self.__class__.__name__,
            )
        except (UniqueViolation, sqlalchemy.exc.IntegrityError) as e:
            Session.rollback()
            LOG.debug(f"Got the duplicate user error: {e}")
            return self.create_missing_link(canonical_email)
--- a/app/app/admin_model.py
+++ b/app/app/admin_model.py
@ -791,7 +791,7 @@ class EmailSearchResult:
        self.query: str
    @staticmethod
-    def from_email(email: str) -> EmailSearchResult:
+    def from_request_email(email: str) -> EmailSearchResult:
        output = EmailSearchResult()
        output.query = email
        alias = Alias.get_by(email=email)
@ -803,7 +803,11 @@ class EmailSearchResult:
                .all()
            )
            output.no_match = False
-        user = User.get_by(email=email)
+        try:
            user_id = int(email)
            user = User.get(user_id)
        except ValueError:
            user = User.get_by(email=email)
        if user:
            output.user = user
            output.user_audit_log = (
@ -912,7 +916,7 @@ class EmailSearchAdmin(BaseView):
        email = request.args.get("email")
        if email is not None and len(email) > 0:
            email = email.strip()
-            search = EmailSearchResult.from_email(email)
+            search = EmailSearchResult.from_request_email(email)
        return self.render(
            "admin/email_search.html",
--- a/app/app/api/views/mailbox.py
+++ b/app/app/api/views/mailbox.py
@ -6,12 +6,7 @@ from flask import request
 from app import mailbox_utils
 from app.api.base import api_bp, require_api_auth
 from app.dashboard.views.mailbox_detail import verify_mailbox_change
 from app.db import Session
 from app.email_utils import (
    mailbox_already_used,
    email_can_be_used_as_mailbox,
 )
 from app.models import Mailbox
 from app.utils import sanitize_email
@ -122,20 +117,10 @@ def update_mailbox(mailbox_id):
    if "email" in data:
        new_email = sanitize_email(data.get("email"))
        if mailbox_already_used(new_email, user):
            return jsonify(error=f"{new_email} already used"), 400
        elif not email_can_be_used_as_mailbox(new_email):
            return (
                jsonify(
                    error=f"{new_email} cannot be used. Please note a mailbox cannot "
                    f"be a disposable email address"
                ),
                400,
            )
        try:
-            verify_mailbox_change(user, mailbox, new_email)
+            mailbox_utils.request_mailbox_email_change(user, mailbox, new_email)
        except mailbox_utils.MailboxError as e:
            return jsonify(error=e.msg), 400
        except SMTPRecipientsRefused:
            return jsonify(error=f"Incorrect mailbox, please recheck {new_email}"), 400
        else:
@ -145,7 +130,7 @@ def update_mailbox(mailbox_id):
    if "cancel_email_change" in data:
        cancel_email_change = data.get("cancel_email_change")
        if cancel_email_change:
-            mailbox.new_email = None
+            mailbox_utils.cancel_email_change(mailbox.id, user)
            changed = True
    if changed:
--- a/app/app/coupon_utils.py
+++ b/app/app/coupon_utils.py
@ -0,0 +1,127 @@
 from typing import Optional
 import arrow
 from sqlalchemy import or_, update, and_
 from app.config import ADMIN_EMAIL
 from app.db import Session
 from app.email_utils import send_email
 from app.events.event_dispatcher import EventDispatcher
 from app.events.generated.event_pb2 import EventContent, UserPlanChanged
 from app.log import LOG
 from app.models import User, ManualSubscription, Coupon, LifetimeCoupon
 from app.user_audit_log_utils import emit_user_audit_log, UserAuditLogAction
 class CouponUserCannotRedeemError(Exception):
    pass
 def redeem_coupon(coupon_code: str, user: User) -> Optional[Coupon]:
    if user.lifetime:
        LOG.i(f"User {user} is a lifetime SL user. Cannot redeem coupons")
        raise CouponUserCannotRedeemError()
    sub = user.get_active_subscription()
    if sub and not isinstance(sub, ManualSubscription):
        LOG.i(
            f"User {user} has an active subscription that is not manual. Cannot redeem coupon {coupon_code}"
        )
        raise CouponUserCannotRedeemError()
    coupon = Coupon.get_by(code=coupon_code)
    if not coupon:
        LOG.i(f"User is trying to redeem coupon {coupon_code} that does not exist")
        return None
    now = arrow.utcnow()
    stmt = (
        update(Coupon)
        .where(
            and_(
                Coupon.code == coupon_code,
                Coupon.used == False,  # noqa: E712
                or_(
                    Coupon.expires_date == None,  # noqa: E711
                    Coupon.expires_date > now,
                ),
            )
        )
        .values(used=True, used_by_user_id=user.id, updated_at=now)
    )
    res = Session.execute(stmt)
    if res.rowcount == 0:
        LOG.i(f"Coupon {coupon.id} could not be redeemed. It's expired or invalid.")
        return None
    LOG.i(
        f"Redeemed normal coupon {coupon.id} for {coupon.nb_year} years by user {user}"
    )
    if sub:
        # renew existing subscription
        if sub.end_at > arrow.now():
            sub.end_at = sub.end_at.shift(years=coupon.nb_year)
        else:
            sub.end_at = arrow.now().shift(years=coupon.nb_year, days=1)
    else:
        sub = ManualSubscription.create(
            user_id=user.id,
            end_at=arrow.now().shift(years=coupon.nb_year, days=1),
            comment="using coupon code",
            is_giveaway=coupon.is_giveaway,
            commit=True,
        )
    emit_user_audit_log(
        user=user,
        action=UserAuditLogAction.Upgrade,
        message=f"User {user} redeemed coupon {coupon.id} for {coupon.nb_year} years",
    )
    EventDispatcher.send_event(
        user=user,
        content=EventContent(
            user_plan_change=UserPlanChanged(plan_end_time=sub.end_at.timestamp)
        ),
    )
    Session.commit()
    return coupon
 def redeem_lifetime_coupon(coupon_code: str, user: User) -> Optional[Coupon]:
    coupon: LifetimeCoupon = LifetimeCoupon.get_by(code=coupon_code)
    if not coupon:
        return None
    stmt = (
        update(LifetimeCoupon)
        .where(
            and_(
                LifetimeCoupon.code == coupon_code,
                LifetimeCoupon.nb_used > 0,
            )
        )
        .values(nb_used=LifetimeCoupon.nb_used - 1)
    )
    res = Session.execute(stmt)
    if res.rowcount == 0:
        LOG.i("Coupon could not be redeemed")
        return None
    user.lifetime = True
    user.lifetime_coupon_id = coupon.id
    if coupon.paid:
        user.paid_lifetime = True
    EventDispatcher.send_event(
        user=user,
        content=EventContent(user_plan_change=UserPlanChanged(lifetime=True)),
    )
    Session.commit()
    # notify admin
    send_email(
        ADMIN_EMAIL,
        subject=f"User {user} used lifetime coupon({coupon.comment}). Coupon nb_used: {coupon.nb_used}",
        plaintext="",
        html="",
    )
    return coupon
--- a/app/app/dashboard/views/coupon.py
+++ b/app/app/dashboard/views/coupon.py
@ -1,17 +1,15 @@
 import arrow
-from flask import render_template, flash, redirect, url_for, request
+from flask import render_template, flash, redirect, url_for
 from flask_login import login_required, current_user
 from flask_wtf import FlaskForm
 from wtforms import StringField, validators
 from app import parallel_limiter
 from app.config import PADDLE_VENDOR_ID, PADDLE_COUPON_ID
 from app.coupon_utils import redeem_coupon, CouponUserCannotRedeemError
 from app.dashboard.base import dashboard_bp
 from app.db import Session
 from app.log import LOG
 from app.models import (
    ManualSubscription,
    Coupon,
    Subscription,
    AppleSubscription,
    CoinbaseSubscription,
@ -58,56 +56,23 @@ def coupon_route():
    if coupon_form.validate_on_submit():
        code = coupon_form.code.data
-
+        try:
-        coupon: Coupon = Coupon.get_by(code=code)
+            coupon = redeem_coupon(code, current_user)
-        if coupon and not coupon.used:
+            if coupon:
            if coupon.expires_date and coupon.expires_date < arrow.now():
                flash(
                    f"The coupon was expired on {coupon.expires_date.humanize()}",
                    "error",
                )
                return redirect(request.url)
            updated = (
                Session.query(Coupon)
                .filter_by(code=code, used=False)
                .update({"used_by_user_id": current_user.id, "used": True})
            )
            if updated != 1:
                flash("Coupon is not valid", "error")
                return redirect(request.url)
            manual_sub: ManualSubscription = ManualSubscription.get_by(
                user_id=current_user.id
            )
            if manual_sub:
                # renew existing subscription
                if manual_sub.end_at > arrow.now():
                    manual_sub.end_at = manual_sub.end_at.shift(years=coupon.nb_year)
                else:
                    manual_sub.end_at = arrow.now().shift(years=coupon.nb_year, days=1)
                Session.commit()
                flash(
                    f"Your current subscription is extended to {manual_sub.end_at.humanize()}",
                    "success",
                )
            else:
                ManualSubscription.create(
                    user_id=current_user.id,
                    end_at=arrow.now().shift(years=coupon.nb_year, days=1),
                    comment="using coupon code",
                    is_giveaway=coupon.is_giveaway,
                    commit=True,
                )
                flash(
                    "Your account has been upgraded to Premium, thanks for your support!",
                    "success",
                )
-
+            else:
-            return redirect(url_for("dashboard.index"))
+                flash(
-
+                    "This coupon cannot be redeemed. It's invalid or has expired",
-        else:
+                    "warning",
-            flash(f"Code *{code}* expired or invalid", "warning")
+                )
        except CouponUserCannotRedeemError:
            flash(
                "You have an active subscription. Please remove it before redeeming a coupon",
                "warning",
            )
    return render_template(
        "dashboard/coupon.html",
--- a/app/app/dashboard/views/lifetime_licence.py
+++ b/app/app/dashboard/views/lifetime_licence.py
@ -1,16 +1,11 @@
 import arrow
 from flask import render_template, flash, redirect, url_for
 from flask_login import login_required, current_user
 from flask_wtf import FlaskForm
 from wtforms import StringField, validators
-from app.config import ADMIN_EMAIL
+from app import parallel_limiter
 from app.coupon_utils import redeem_lifetime_coupon
 from app.dashboard.base import dashboard_bp
 from app.db import Session
 from app.email_utils import send_email
 from app.events.event_dispatcher import EventDispatcher
 from app.events.generated.event_pb2 import UserPlanChanged, EventContent
 from app.models import LifetimeCoupon
 class CouponForm(FlaskForm):
@ -19,6 +14,7 @@ class CouponForm(FlaskForm):
@dashboard_bp.route("/lifetime_licence", methods=["GET", "POST"])
@login_required
@parallel_limiter.lock()
 def lifetime_licence():
    if current_user.lifetime:
        flash("You already have a lifetime licence", "warning")
@ -35,36 +31,12 @@ def lifetime_licence():
    if coupon_form.validate_on_submit():
        code = coupon_form.code.data
-
+        coupon = redeem_lifetime_coupon(code, current_user)
-        coupon: LifetimeCoupon = LifetimeCoupon.get_by(code=code)
+        if coupon:
        if coupon and coupon.nb_used > 0:
            coupon.nb_used -= 1
            current_user.lifetime = True
            current_user.lifetime_coupon_id = coupon.id
            if coupon.paid:
                current_user.paid_lifetime = True
            EventDispatcher.send_event(
                user=current_user,
                content=EventContent(
                    user_plan_change=UserPlanChanged(
                        plan_end_time=arrow.get("2038-01-01").timestamp
                    )
                ),
            )
            Session.commit()
            # notify admin
            send_email(
                ADMIN_EMAIL,
                subject=f"User {current_user} used lifetime coupon({coupon.comment}). Coupon nb_used: {coupon.nb_used}",
                plaintext="",
                html="",
            )
            flash("You are upgraded to lifetime premium!", "success")
            return redirect(url_for("dashboard.index"))
        else:
-            flash(f"Code *{code}* expired or invalid", "warning")
+            flash("Coupon code expired or invalid", "warning")
    return render_template("dashboard/lifetime_licence.html", coupon_form=coupon_form)
--- a/app/app/dashboard/views/mailbox_detail.py
+++ b/app/app/dashboard/views/mailbox_detail.py
@ -1,23 +1,23 @@
 from smtplib import SMTPRecipientsRefused
 from email_validator import validate_email, EmailNotValidError
 from flask import render_template, request, redirect, url_for, flash
 from flask_login import login_required, current_user
 from flask_wtf import FlaskForm
 from itsdangerous import TimestampSigner
 from wtforms import validators
-from wtforms.fields.html5 import EmailField
+from wtforms.fields.simple import StringField
 from app import mailbox_utils
 from app.config import ENFORCE_SPF, MAILBOX_SECRET
 from app.config import URL
 from app.dashboard.base import dashboard_bp
 from app.dashboard.views.enter_sudo import sudo_required
 from app.db import Session
 from app.email_utils import email_can_be_used_as_mailbox
 from app.email_utils import mailbox_already_used, render, send_email
 from app.extensions import limiter
-from app.mailbox_utils import perform_mailbox_email_change, MailboxEmailChangeError
+from app.mailbox_utils import (
-from app.models import Alias, AuthorizedAddress
+    perform_mailbox_email_change,
    MailboxEmailChangeError,
    MailboxError,
 )
 from app.models import AuthorizedAddress
 from app.models import Mailbox
 from app.pgp_utils import PGPException, load_public_key_and_check
 from app.user_audit_log_utils import emit_user_audit_log, UserAuditLogAction
@ -25,7 +25,7 @@ from app.utils import sanitize_email, CSRFValidationForm
 class ChangeEmailForm(FlaskForm):
-    email = EmailField(
+    email = StringField(
        "email", validators=[validators.DataRequired(), validators.Email()]
    )
@ -56,34 +56,19 @@ def mailbox_detail_route(mailbox_id):
            request.form.get("form-name") == "update-email"
            and change_email_form.validate_on_submit()
        ):
-            new_email = sanitize_email(change_email_form.email.data)
+            try:
-            if new_email != mailbox.email and not pending_email:
+                response = mailbox_utils.request_mailbox_email_change(
-                # check if this email is not already used
+                    current_user, mailbox, change_email_form.email.data
-                if mailbox_already_used(new_email, current_user) or Alias.get_by(
+                )
-                    email=new_email
+                flash(
-                ):
+                    f"You are going to receive an email to confirm {mailbox.email}.",
-                    flash(f"Email {new_email} already used", "error")
+                    "success",
-                elif not email_can_be_used_as_mailbox(new_email):
+                )
-                    flash("You cannot use this email address as your mailbox", "error")
+            except mailbox_utils.MailboxError as e:
-                else:
+                flash(e.msg, "error")
-                    mailbox.new_email = new_email
+            return redirect(
-                    Session.commit()
+                url_for("dashboard.mailbox_detail_route", mailbox_id=mailbox_id)
-
+            )
                    try:
                        verify_mailbox_change(current_user, mailbox, new_email)
                    except SMTPRecipientsRefused:
                        flash(
                            f"Incorrect mailbox, please recheck {mailbox.email}",
                            "error",
                        )
                    else:
                        flash(
                            f"You are going to receive an email to confirm {new_email}.",
                            "success",
                        )
                    return redirect(
                        url_for("dashboard.mailbox_detail_route", mailbox_id=mailbox_id)
                    )
        elif request.form.get("form-name") == "force-spf":
            if not ENFORCE_SPF:
                flash("SPF enforcement globally not enabled", "error")
@ -265,81 +250,57 @@ def mailbox_detail_route(mailbox_id):
    return render_template("dashboard/mailbox_detail.html", **locals())
 def verify_mailbox_change(user, mailbox, new_email):
    s = TimestampSigner(MAILBOX_SECRET)
    mailbox_id_signed = s.sign(str(mailbox.id)).decode()
    verification_url = (
        f"{URL}/dashboard/mailbox/confirm_change?mailbox_id={mailbox_id_signed}"
    )
    send_email(
        new_email,
        "Confirm mailbox change on SimpleLogin",
        render(
            "transactional/verify-mailbox-change.txt.jinja2",
            user=user,
            link=verification_url,
            mailbox_email=mailbox.email,
            mailbox_new_email=new_email,
        ),
        render(
            "transactional/verify-mailbox-change.html",
            user=user,
            link=verification_url,
            mailbox_email=mailbox.email,
            mailbox_new_email=new_email,
        ),
    )
@dashboard_bp.route(
    "/mailbox/<int:mailbox_id>/cancel_email_change", methods=["GET", "POST"]
 )
@login_required
 def cancel_mailbox_change_route(mailbox_id):
-    mailbox = Mailbox.get(mailbox_id)
+    try:
-    if not mailbox or mailbox.user_id != current_user.id:
+        mailbox_utils.cancel_email_change(mailbox_id, current_user)
        flash("You cannot see this page", "warning")
        return redirect(url_for("dashboard.index"))
    if mailbox.new_email:
        mailbox.new_email = None
        Session.commit()
        flash("Your mailbox change is cancelled", "success")
        return redirect(
            url_for("dashboard.mailbox_detail_route", mailbox_id=mailbox_id)
        )
-    else:
+    except MailboxError as e:
-        flash("You have no pending mailbox change", "warning")
+        flash(e.msg, "warning")
-        return redirect(
+        return redirect(url_for("dashboard.index"))
            url_for("dashboard.mailbox_detail_route", mailbox_id=mailbox_id)
        )
@dashboard_bp.route("/mailbox/confirm_change")
 def mailbox_confirm_email_change_route():
-    s = TimestampSigner(MAILBOX_SECRET)
+    mailbox_id = request.args.get("mailbox_id")
    signed_mailbox_id = request.args.get("mailbox_id")
-    try:
+    code = request.args.get("code")
-        mailbox_id = int(s.unsign(signed_mailbox_id, max_age=900))
+    if code:
-    except Exception:
+        print("HAS OCO", code)
-        flash("Invalid link", "error")
+        try:
-        return redirect(url_for("dashboard.index"))
+            mailbox = mailbox_utils.verify_mailbox_code(current_user, mailbox_id, code)
-
+            flash("Successfully changed mailbox email", "success")
    res = perform_mailbox_email_change(mailbox_id)
    flash(res.message, res.message_category)
    if res.error:
        if res.error == MailboxEmailChangeError.EmailAlreadyUsed:
            return redirect(
-                url_for("dashboard.mailbox_detail_route", mailbox_id=mailbox_id)
+                url_for("dashboard.mailbox_detail_route", mailbox_id=mailbox.id)
            )
-        elif res.error == MailboxEmailChangeError.InvalidId:
+        except mailbox_utils.MailboxError as e:
-            return redirect(url_for("dashboard.index"))
+            print(e)
-        else:
+            flash(f"Cannot verify mailbox: {e.msg}", "error")
-            raise Exception("Unhandled MailboxEmailChangeError")
+            return redirect(url_for("dashboard.mailbox_route"))
    else:
-        return redirect(
+        s = TimestampSigner(MAILBOX_SECRET)
-            url_for("dashboard.mailbox_detail_route", mailbox_id=mailbox_id)
+        try:
-        )
+            mailbox_id = int(s.unsign(mailbox_id, max_age=900))
            res = perform_mailbox_email_change(mailbox_id)
            flash(res.message, res.message_category)
            if res.error:
                if res.error == MailboxEmailChangeError.EmailAlreadyUsed:
                    return redirect(
                        url_for("dashboard.mailbox_detail_route", mailbox_id=mailbox_id)
                    )
                elif res.error == MailboxEmailChangeError.InvalidId:
                    return redirect(url_for("dashboard.index"))
                else:
                    raise Exception("Unhandled MailboxEmailChangeError")
        except Exception:
            flash("Invalid link", "error")
            return redirect(url_for("dashboard.index"))
    flash("Successfully changed mailbox email", "success")
    return redirect(url_for("dashboard.mailbox_detail_route", mailbox_id=mailbox_id))
--- a/app/app/events/generated/event_pb2.py
+++ b/app/app/events/generated/event_pb2.py
@ -24,7 +24,7 @@ _sym_db = _symbol_database.Default()
-DESCRIPTOR = _descriptor_pool.Default().AddSerializedFile(b'\n\x0b\x65vent.proto\x12\x12simplelogin_events\"(\n\x0fUserPlanChanged\x12\x15\n\rplan_end_time\x18\x01 \x01(\r\"\r\n\x0bUserDeleted\"\\\n\x0c\x41liasCreated\x12\n\n\x02id\x18\x01 \x01(\r\x12\r\n\x05\x65mail\x18\x02 \x01(\t\x12\x0c\n\x04note\x18\x03 \x01(\t\x12\x0f\n\x07\x65nabled\x18\x04 \x01(\x08\x12\x12\n\ncreated_at\x18\x05 \x01(\r\"T\n\x12\x41liasStatusChanged\x12\n\n\x02id\x18\x01 \x01(\r\x12\r\n\x05\x65mail\x18\x02 \x01(\t\x12\x0f\n\x07\x65nabled\x18\x03 \x01(\x08\x12\x12\n\ncreated_at\x18\x04 \x01(\r\")\n\x0c\x41liasDeleted\x12\n\n\x02id\x18\x01 \x01(\r\x12\r\n\x05\x65mail\x18\x02 \x01(\t\"D\n\x10\x41liasCreatedList\x12\x30\n\x06\x65vents\x18\x01 \x03(\x0b\x32 .simplelogin_events.AliasCreated\"\x93\x03\n\x0c\x45ventContent\x12?\n\x10user_plan_change\x18\x01 \x01(\x0b\x32#.simplelogin_events.UserPlanChangedH\x00\x12\x37\n\x0cuser_deleted\x18\x02 \x01(\x0b\x32\x1f.simplelogin_events.UserDeletedH\x00\x12\x39\n\ralias_created\x18\x03 \x01(\x0b\x32 .simplelogin_events.AliasCreatedH\x00\x12\x45\n\x13\x61lias_status_change\x18\x04 \x01(\x0b\x32&.simplelogin_events.AliasStatusChangedH\x00\x12\x39\n\ralias_deleted\x18\x05 \x01(\x0b\x32 .simplelogin_events.AliasDeletedH\x00\x12\x41\n\x11\x61lias_create_list\x18\x06 \x01(\x0b\x32$.simplelogin_events.AliasCreatedListH\x00\x42\t\n\x07\x63ontent\"y\n\x05\x45vent\x12\x0f\n\x07user_id\x18\x01 \x01(\r\x12\x18\n\x10\x65xternal_user_id\x18\x02 \x01(\t\x12\x12\n\npartner_id\x18\x03 \x01(\r\x12\x31\n\x07\x63ontent\x18\x04 \x01(\x0b\x32 .simplelogin_events.EventContentb\x06proto3')
+DESCRIPTOR = _descriptor_pool.Default().AddSerializedFile(b'\n\x0b\x65vent.proto\x12\x12simplelogin_events\":\n\x0fUserPlanChanged\x12\x15\n\rplan_end_time\x18\x01 \x01(\r\x12\x10\n\x08lifetime\x18\x02 \x01(\x08\"\r\n\x0bUserDeleted\"\\\n\x0c\x41liasCreated\x12\n\n\x02id\x18\x01 \x01(\r\x12\r\n\x05\x65mail\x18\x02 \x01(\t\x12\x0c\n\x04note\x18\x03 \x01(\t\x12\x0f\n\x07\x65nabled\x18\x04 \x01(\x08\x12\x12\n\ncreated_at\x18\x05 \x01(\r\"T\n\x12\x41liasStatusChanged\x12\n\n\x02id\x18\x01 \x01(\r\x12\r\n\x05\x65mail\x18\x02 \x01(\t\x12\x0f\n\x07\x65nabled\x18\x03 \x01(\x08\x12\x12\n\ncreated_at\x18\x04 \x01(\r\")\n\x0c\x41liasDeleted\x12\n\n\x02id\x18\x01 \x01(\r\x12\r\n\x05\x65mail\x18\x02 \x01(\t\"D\n\x10\x41liasCreatedList\x12\x30\n\x06\x65vents\x18\x01 \x03(\x0b\x32 .simplelogin_events.AliasCreated\"\x93\x03\n\x0c\x45ventContent\x12?\n\x10user_plan_change\x18\x01 \x01(\x0b\x32#.simplelogin_events.UserPlanChangedH\x00\x12\x37\n\x0cuser_deleted\x18\x02 \x01(\x0b\x32\x1f.simplelogin_events.UserDeletedH\x00\x12\x39\n\ralias_created\x18\x03 \x01(\x0b\x32 .simplelogin_events.AliasCreatedH\x00\x12\x45\n\x13\x61lias_status_change\x18\x04 \x01(\x0b\x32&.simplelogin_events.AliasStatusChangedH\x00\x12\x39\n\ralias_deleted\x18\x05 \x01(\x0b\x32 .simplelogin_events.AliasDeletedH\x00\x12\x41\n\x11\x61lias_create_list\x18\x06 \x01(\x0b\x32$.simplelogin_events.AliasCreatedListH\x00\x42\t\n\x07\x63ontent\"y\n\x05\x45vent\x12\x0f\n\x07user_id\x18\x01 \x01(\r\x12\x18\n\x10\x65xternal_user_id\x18\x02 \x01(\t\x12\x12\n\npartner_id\x18\x03 \x01(\r\x12\x31\n\x07\x63ontent\x18\x04 \x01(\x0b\x32 .simplelogin_events.EventContentb\x06proto3')
 _globals = globals()
 _builder.BuildMessageAndEnumDescriptors(DESCRIPTOR, _globals)
@ -32,19 +32,19 @@ _builder.BuildTopDescriptorsAndMessages(DESCRIPTOR, 'event_pb2', _globals)
 if not _descriptor._USE_C_DESCRIPTORS:
  DESCRIPTOR._loaded_options = None
  _globals['_USERPLANCHANGED']._serialized_start=35
-  _globals['_USERPLANCHANGED']._serialized_end=75
+  _globals['_USERPLANCHANGED']._serialized_end=93
-  _globals['_USERDELETED']._serialized_start=77
+  _globals['_USERDELETED']._serialized_start=95
-  _globals['_USERDELETED']._serialized_end=90
+  _globals['_USERDELETED']._serialized_end=108
-  _globals['_ALIASCREATED']._serialized_start=92
+  _globals['_ALIASCREATED']._serialized_start=110
-  _globals['_ALIASCREATED']._serialized_end=184
+  _globals['_ALIASCREATED']._serialized_end=202
-  _globals['_ALIASSTATUSCHANGED']._serialized_start=186
+  _globals['_ALIASSTATUSCHANGED']._serialized_start=204
-  _globals['_ALIASSTATUSCHANGED']._serialized_end=270
+  _globals['_ALIASSTATUSCHANGED']._serialized_end=288
-  _globals['_ALIASDELETED']._serialized_start=272
+  _globals['_ALIASDELETED']._serialized_start=290
-  _globals['_ALIASDELETED']._serialized_end=313
+  _globals['_ALIASDELETED']._serialized_end=331
-  _globals['_ALIASCREATEDLIST']._serialized_start=315
+  _globals['_ALIASCREATEDLIST']._serialized_start=333
-  _globals['_ALIASCREATEDLIST']._serialized_end=383
+  _globals['_ALIASCREATEDLIST']._serialized_end=401
-  _globals['_EVENTCONTENT']._serialized_start=386
+  _globals['_EVENTCONTENT']._serialized_start=404
-  _globals['_EVENTCONTENT']._serialized_end=789
+  _globals['_EVENTCONTENT']._serialized_end=807
-  _globals['_EVENT']._serialized_start=791
+  _globals['_EVENT']._serialized_start=809
-  _globals['_EVENT']._serialized_end=912
+  _globals['_EVENT']._serialized_end=930
 # @@protoc_insertion_point(module_scope)
--- a/app/app/events/generated/event_pb2.pyi
+++ b/app/app/events/generated/event_pb2.pyi
@ -6,10 +6,12 @@ from typing import ClassVar as _ClassVar, Iterable as _Iterable, Mapping as _Map
 DESCRIPTOR: _descriptor.FileDescriptor
 class UserPlanChanged(_message.Message):
-    __slots__ = ("plan_end_time",)
+    __slots__ = ("plan_end_time", "lifetime")
    PLAN_END_TIME_FIELD_NUMBER: _ClassVar[int]
    LIFETIME_FIELD_NUMBER: _ClassVar[int]
    plan_end_time: int
-    def __init__(self, plan_end_time: _Optional[int] = ...) -> None: ...
+    lifetime: bool
    def __init__(self, plan_end_time: _Optional[int] = ..., lifetime: bool = ...) -> None: ...
 class UserDeleted(_message.Message):
    __slots__ = ()
--- a/app/app/mailbox_utils.py
+++ b/app/app/mailbox_utils.py
@ -60,21 +60,7 @@ def create_mailbox(
            f"User {user} has tried to create mailbox with {email} but is not premium"
        )
        raise OnlyPaidError()
-    if not is_valid_email(email):
+    check_email_for_mailbox(email, user)
        LOG.i(
            f"User {user} has tried to create mailbox with {email} but is not valid email"
        )
        raise MailboxError("Invalid email")
    elif mailbox_already_used(email, user):
        LOG.i(
            f"User {user} has tried to create mailbox with {email} but email is already used"
        )
        raise MailboxError("Email already used")
    elif not email_can_be_used_as_mailbox(email):
        LOG.i(
            f"User {user} has tried to create mailbox with {email} but email is invalid"
        )
        raise MailboxError("Invalid email")
    new_mailbox: Mailbox = Mailbox.create(
        email=email, user_id=user.id, verified=verified, commit=True
    )
@ -106,6 +92,24 @@ def create_mailbox(
    return output
 def check_email_for_mailbox(email, user):
    if not is_valid_email(email):
        LOG.i(
            f"User {user} has tried to create mailbox with {email} but is not valid email"
        )
        raise MailboxError("Invalid email")
    elif mailbox_already_used(email, user):
        LOG.i(
            f"User {user} has tried to create mailbox with {email} but email is already used"
        )
        raise MailboxError("Email already used")
    elif not email_can_be_used_as_mailbox(email):
        LOG.i(
            f"User {user} has tried to create mailbox with {email} but email is invalid"
        )
        raise MailboxError("Invalid email")
 def delete_mailbox(
    user: User,
    mailbox_id: int,
@ -183,7 +187,7 @@ def verify_mailbox_code(user: User, mailbox_id: int, code: str) -> Mailbox:
            f"User {user} failed to verify mailbox {mailbox_id} because it's owned by another user"
        )
        raise MailboxError("Invalid mailbox")
-    if mailbox.verified:
+    if mailbox.verified and not mailbox.new_email:
        LOG.i(
            f"User {user} failed to verify mailbox {mailbox_id} because it's already verified"
        )
@ -220,13 +224,34 @@ def verify_mailbox_code(user: User, mailbox_id: int, code: str) -> Mailbox:
        activation.tries = activation.tries + 1
        Session.commit()
        raise CannotVerifyError("Invalid activation code")
-    LOG.i(f"User {user} has verified mailbox {mailbox_id}")
+    if mailbox.new_email:
-    mailbox.verified = True
+        LOG.i(
-    emit_user_audit_log(
+            f"User {user} has verified mailbox email change from {mailbox.email} to {mailbox.new_email}"
-        user=user,
+        )
-        action=UserAuditLogAction.VerifyMailbox,
+        emit_user_audit_log(
-        message=f"Verify mailbox {mailbox_id} ({mailbox.email})",
+            user=user,
-    )
+            action=UserAuditLogAction.UpdateMailbox,
            message=f"Change mailbox email for mailbox {mailbox_id} (old={mailbox.email} | new={mailbox.new_email})",
        )
        mailbox.email = mailbox.new_email
        mailbox.new_email = None
        mailbox.verified = True
    elif not mailbox.verified:
        LOG.i(f"User {user} has verified mailbox {mailbox_id}")
        mailbox.verified = True
        emit_user_audit_log(
            user=user,
            action=UserAuditLogAction.VerifyMailbox,
            message=f"Verify mailbox {mailbox_id} ({mailbox.email})",
        )
        if Mailbox.get_by(email=mailbox.new_email, user_id=user.id):
            raise MailboxError("That addres is already in use")
    else:
        LOG.i(
            "User {user} alread has mailbox {mailbox} verified and no pending email change"
        )
    clear_activation_codes_for_mailbox(mailbox)
    return mailbox
@ -251,7 +276,10 @@ def generate_activation_code(
 def send_verification_email(
-    user: User, mailbox: Mailbox, activation: MailboxActivation, send_link: bool = True
+    user: User,
    mailbox: Mailbox,
    activation: MailboxActivation,
    send_link: bool = True,
 ):
    LOG.i(
        f"Sending mailbox verification email to {mailbox.email} with send link={send_link}"
@ -286,6 +314,72 @@ def send_verification_email(
    )
 def send_change_email(user: User, mailbox: Mailbox, activation: MailboxActivation):
    verification_url = f"{config.URL}/dashboard/mailbox/confirm_change?mailbox_id={mailbox.id}&code={activation.code}"
    send_email(
        mailbox.new_email,
        "Confirm mailbox change on SimpleLogin",
        render(
            "transactional/verify-mailbox-change.txt.jinja2",
            user=user,
            link=verification_url,
            mailbox_email=mailbox.email,
            mailbox_new_email=mailbox.new_email,
        ),
        render(
            "transactional/verify-mailbox-change.html",
            user=user,
            link=verification_url,
            mailbox_email=mailbox.email,
            mailbox_new_email=mailbox.new_email,
        ),
    )
 def request_mailbox_email_change(
    user: User,
    mailbox: Mailbox,
    new_email: str,
    email_ownership_verified: bool = False,
    send_email: bool = True,
    use_digit_codes: bool = False,
 ) -> CreateMailboxOutput:
    new_email = sanitize_email(new_email)
    if new_email == mailbox.email:
        raise MailboxError("Same email")
    check_email_for_mailbox(new_email, user)
    if email_ownership_verified:
        mailbox.email = new_email
    else:
        mailbox.new_email = new_email
    emit_user_audit_log(
        user=user,
        action=UserAuditLogAction.UpdateMailbox,
        message=f"Updated mailbox {mailbox.id} email ({new_email}) pre-verified({email_ownership_verified}",
    )
    Session.commit()
    if email_ownership_verified:
        LOG.i(f"User {user} as created a pre-verified mailbox with {new_email}")
        return CreateMailboxOutput(mailbox=mailbox, activation=None)
    LOG.i(f"User {user} has updated mailbox email with {new_email}")
    activation = generate_activation_code(mailbox, use_digit_code=use_digit_codes)
    output = CreateMailboxOutput(mailbox=mailbox, activation=activation)
    if not send_email:
        LOG.i(f"Skipping sending validation email for mailbox {mailbox}")
        return output
    send_change_email(
        user,
        mailbox,
        activation=activation,
    )
    return output
 class MailboxEmailChangeError(Enum):
    InvalidId = 1
    EmailAlreadyUsed = 2
@ -337,6 +431,23 @@ def perform_mailbox_email_change(mailbox_id: int) -> MailboxEmailChangeResult:
        )
 def cancel_email_change(mailbox_id: int, user: User):
    mailbox = Mailbox.get(mailbox_id)
    if not mailbox:
        LOG.i(
            f"User {user} has tried to cancel a mailbox an unknown mailbox {mailbox_id}"
        )
        raise MailboxError("Invalid mailbox")
    if mailbox.user.id != user.id:
        LOG.i(
            f"User {user} has tried to cancel a mailbox {mailbox} owned by another user"
        )
        raise MailboxError("Invalid mailbox")
    mailbox.new_email = None
    LOG.i(f"User {mailbox.user} has cancelled mailbox email change")
    clear_activation_codes_for_mailbox(mailbox)
 def __get_alias_mailbox_from_email(
    email_address: str, alias: Alias
 ) -> Optional[Mailbox]:
--- a/app/app/models.py
+++ b/app/app/models.py
@ -343,7 +343,7 @@ class Fido(Base, ModelMixin):
 class User(Base, ModelMixin, UserMixin, PasswordOracle):
    __tablename__ = "users"
-    FLAG_DISABLE_CREATE_CONTACTS = 1 << 0
+    FLAG_FREE_DISABLE_CREATE_CONTACTS = 1 << 0
    FLAG_CREATED_FROM_PARTNER = 1 << 1
    FLAG_FREE_OLD_ALIAS_LIMIT = 1 << 2
    FLAG_CREATED_ALIAS_FROM_PARTNER = 1 << 3
@ -550,7 +550,7 @@ class User(Base, ModelMixin, UserMixin, PasswordOracle):
    # bitwise flags. Allow for future expansion
    flags = sa.Column(
        sa.BigInteger,
-        default=FLAG_DISABLE_CREATE_CONTACTS,
+        default=FLAG_FREE_DISABLE_CREATE_CONTACTS,
        server_default="0",
        nullable=False,
    )
@ -640,7 +640,7 @@ class User(Base, ModelMixin, UserMixin, PasswordOracle):
        # If the user is created from partner, do not notify
        # nor give a trial
        if from_partner:
-            user.flags = User.FLAG_CREATED_FROM_PARTNER
+            user.flags = user.flags | User.FLAG_CREATED_FROM_PARTNER
            user.notification = False
            user.trial_end = None
            Job.create(
@ -1189,7 +1189,7 @@ class User(Base, ModelMixin, UserMixin, PasswordOracle):
    def can_create_contacts(self) -> bool:
        if self.is_premium():
            return True
-        if self.flags & User.FLAG_DISABLE_CREATE_CONTACTS == 0:
+        if self.flags & User.FLAG_FREE_DISABLE_CREATE_CONTACTS == 0:
            return True
        return not config.DISABLE_CREATE_CONTACTS_FOR_FREE_USERS
--- a/app/email_handler.py
+++ b/app/email_handler.py
@ -590,15 +590,36 @@ def handle_forward(envelope, msg: Message, rcpt_to: str) -> List[Tuple[bool, str
        contact.alias
    )  # In case the Session was closed in the get_or_create we re-fetch the alias
-    reply_to_contact = None
+    reply_to_contact = []
    if msg[headers.REPLY_TO]:
-        reply_to = get_header_unicode(msg[headers.REPLY_TO])
+        reply_to_header_contents = get_header_unicode(msg[headers.REPLY_TO])
-        LOG.d("Create or get contact for reply_to_header:%s", reply_to)
+        if reply_to_header_contents:
-        # ignore when reply-to = alias
+            LOG.d(
-        if reply_to == alias.email:
+                "Create or get contact for reply_to_header:%s", reply_to_header_contents
-            LOG.i("Reply-to same as alias %s", alias)
+            )
-        else:
+            for reply_to in [
-            reply_to_contact = get_or_create_reply_to_contact(reply_to, alias, msg)
+                reply_to.strip()
                for reply_to in reply_to_header_contents.split(",")
                if reply_to.strip()
            ]:
                reply_to_name, reply_to_email = parse_full_address(reply_to)
                if reply_to_email == alias.email:
                    LOG.i("Reply-to same as alias %s", alias)
                else:
                    reply_to_contact.append(
                        get_or_create_reply_to_contact(reply_to_email, alias, msg)
                    )
    if alias.user.delete_on is not None:
        LOG.d(f"user {user} is pending to be deleted. Do not forward")
        EmailLog.create(
            contact_id=contact.id,
            user_id=contact.user_id,
            blocked=True,
            alias_id=contact.alias_id,
            commit=True,
        )
        return [(True, status.E502)]
    if not alias.enabled or contact.block_forward:
        LOG.d("%s is disabled, do not forward", alias)
@ -690,7 +711,7 @@ def forward_email_to_mailbox(
    envelope,
    mailbox,
    user,
-    reply_to_contact: Optional[Contact],
+    reply_to_contacts: list[Contact],
 ) -> (bool, str):
    LOG.d("Forward %s -> %s -> %s", contact, alias, mailbox)
@ -873,11 +894,13 @@ def forward_email_to_mailbox(
    add_or_replace_header(msg, "From", new_from_header)
    LOG.d("From header, new:%s, old:%s", new_from_header, old_from_header)
-    if reply_to_contact:
+    if len(reply_to_contacts) > 0:
-        reply_to_header = msg[headers.REPLY_TO]
+        original_reply_to = get_header_unicode(msg[headers.REPLY_TO])
-        new_reply_to_header = reply_to_contact.new_addr()
+        new_reply_to_header = ", ".join(
            [reply_to_contact.new_addr() for reply_to_contact in reply_to_contacts][:5]
        )
        add_or_replace_header(msg, "Reply-To", new_reply_to_header)
-        LOG.d("Reply-To header, new:%s, old:%s", new_reply_to_header, reply_to_header)
+        LOG.d("Reply-To header, new:%s, old:%s", new_reply_to_header, original_reply_to)
    # replace CC & To emails by reverse-alias for all emails that are not alias
    try:
--- a/app/oneshot/send_plan_change_events.py
+++ b/app/oneshot/send_plan_change_events.py
@ -2,7 +2,6 @@
 import argparse
 import time
 import arrow
 from sqlalchemy import func
 from app.account_linking import send_user_plan_changed_event
@ -38,9 +37,9 @@ for batch_start in range(pu_id_start, max_pu_id, step):
        )
    ).all()
    for partner_user in partner_users:
-        subscription_end = send_user_plan_changed_event(partner_user)
+        event = send_user_plan_changed_event(partner_user)
-        if subscription_end is not None:
+        if event is not None:
-            if subscription_end > arrow.get("2038-01-01").timestamp:
+            if event.lifetime:
                with_lifetime += 1
            else:
                with_premium += 1
--- a/app/proto/event.proto
+++ b/app/proto/event.proto
@ -4,6 +4,7 @@ package simplelogin_events;
 message UserPlanChanged {
  uint32 plan_end_time = 1;
  bool lifetime = 2;
 }
 message UserDeleted {
--- a/app/pyproject.toml
+++ b/app/pyproject.toml
@ -1,20 +1,101 @@
 [project]
 name = "SimpleLogin"
 version = "0.1.0"
 description = "SimpleLogin partner API"
 authors = [ {name="SimpleLogin", email="dev@simplelogin.io"}]
 license = "MIT"
 repository = "https://github.com/simple-login/app"
 keywords = ["email", "alias", "privacy", "oauth2", "openid"]
 packages = [
    { include = "app/" },
    { include = "migrations/" },
 ]
 include = ["templates/*", "templates/**/*", "local_data/*.txt"]
 requires-python = "~=3.10"
 dependencies = [
    "flask ~= 1.1.2",
    "flask_login ~= 0.5.0",
    "wtforms ~= 2.3.3",
    "unidecode ~= 1.1.1",
    "gunicorn ~= 20.0.4",
    "bcrypt ~= 3.2.0",
    "python-dotenv ~= 0.14.0",
    "ipython ~= 7.31.1",
    "sqlalchemy_utils ~= 0.36.8",
    "psycopg2-binary ~= 2.9.3",
    "sentry_sdk ~= 2.20.0",
    "blinker ~= 1.4",
    "arrow ~= 0.16.0",
    "Flask-WTF ~= 0.14.3",
    "boto3 ~= 1.35.37",
    "Flask-Migrate ~= 2.5.3",
    "flask_admin ~= 1.5.6",
    "flask-cors ~= 3.0.9",
    "watchtower ~= 0.8.0",
    "sqlalchemy-utils == 0.36.8",
    "jwcrypto ~= 0.8",
    "yacron~=0.11.2",
    "flask-debugtoolbar ~= 0.11.0",
    "requests_oauthlib ~= 1.3.0",
    "pyopenssl ~= 19.1.0",
    "aiosmtpd ~= 1.2",
    "dnspython==2.0.0",
    "coloredlogs ~= 14.0",
    "pycryptodome ~= 3.9.8",
    "phpserialize ~= 1.3",
    "dkimpy ~= 1.0.5",
    "pyotp ~= 2.4.0",
    "flask_profiler ~= 1.8.1",
    "facebook-sdk ~= 3.1.0",
    "google-api-python-client ~= 1.12.3",
    "google-auth-httplib2 ~= 0.0.4",
    "python-gnupg ~= 0.4.6",
    "webauthn ~= 0.4.7",
    "pyspf ~= 2.0.14",
    "Flask-Limiter == 1.4",
    "memory_profiler ~= 0.57.0",
    "gevent ~= 24.11.1",
    "email-validator ~= 1.1.3",
    "PGPy == 0.5.4",
    "coinbase-commerce ~= 1.0.1",
    "requests ~= 2.25.1",
    "newrelic ~= 8.8.0",
    "flanker ~= 0.9.11",
    "pyre2 ~= 0.3.6",
    "tldextract ~= 3.1.2",
    "flask-debugtoolbar-sqlalchemy ~= 0.2.0",
    "twilio ~= 7.3.2",
    "Deprecated ~= 1.2.13",
    "MarkupSafe~=1.1.1",
    "cryptography ~= 37.0.1",
    "SQLAlchemy ~= 1.3.24",
    "redis==4.6.0",
    "newrelic-telemetry-sdk ~= 0.5.0",
    "aiospamc == 0.10",
    "itsdangerous ~= 1.1.0",
    "werkzeug ~= 1.0.1",
    "alembic ~= 1.4.3",
 ]
 [tool.black]
 target-version = ['py310']
 exclude = '''
 (
-  /(
+ /(
-      \.eggs         # exclude a few common directories in the
+   \.eggs         # exclude a few common directories in the
-    | \.git          # root of the project
+   | \.git          # root of the project
-    | \.hg
+   | \.hg
-    | \.mypy_cache
+   | \.mypy_cache
-    | \.tox
+   | \.tox
-    | \.venv
+   | \.venv
-    | _build
+   | _build
-    | buck-out
+   | buck-out
-    | build
+   | build
-    | dist
+   | dist
-    | migrations    # migrations/ is generated by alembic
+   | migrations    # migrations/ is generated by alembic
-    | app/events/generated
+   | app/events/generated
  )/
 )
 '''
@ -27,7 +108,6 @@ exclude = [".venv", "migrations", "app/events/generated"]
 indent = 2
 profile = "jinja"
 blank_line_after_tag = "if,for,include,load,extends,block,endcall"
 # H006: Images should have a height attribute
 # H013: Images should have an alt attribute
 # H016: Missing title tag in html. | False positive on template
@ -43,92 +123,26 @@ blank_line_after_tag = "if,for,include,load,extends,block,endcall"
 # T001: Variables should be wrapped in a single whitespace. | Messes up with comments
 ignore = "H006,H013,H016,H017,H019,H021,H025,H030,H031,T003,J004,J018,T001"
-[tool.poetry]
+[tool.uv]
-name = "SimpleLogin"
+dev-dependencies = [
-version = "0.1.0"
+    "pytest ~= 7.0.0",
-description = "open-source email alias solution"
+    "pytest-cov ~= 3.0.0",
-authors = ["SimpleLogin <dev@simplelogin.io>"]
+    "pre-commit ~= 2.17.0",
-license = "MIT"
+    "black ~= 22.1.0",
-repository = "https://github.com/simple-login/app"
+    "djlint==1.34.1",
-keywords = ["email", "alias", "privacy", "oauth2", "openid"]
+    "pylint ~= 2.14.4",
-packages = [
+    "ruff ~= 0.1.5",
  { include = "app/" },
  { include = "migrations/" },
 ]
 include = ["templates/*", "templates/**/*", "local_data/*.txt"]
 [tool.poetry.dependencies]
 python = "^3.10"
 flask = "^1.1.2"
 flask_login = "^0.5.0"
 wtforms = "^2.3.3"
 unidecode = "^1.1.1"
 gunicorn = "^20.0.4"
 bcrypt = "^3.2.0"
 python-dotenv = "^0.14.0"
 ipython = "^7.31.1"
 sqlalchemy_utils = "^0.36.8"
 psycopg2-binary = "^2.9.3"
 sentry_sdk = "^2.16.0"
 blinker = "^1.4"
 arrow = "^0.16.0"
 Flask-WTF = "^0.14.3"
 boto3 = "^1.15.9"
 Flask-Migrate = "^2.5.3"
 flask_admin = "^1.5.6"
 flask-cors = "^3.0.9"
 watchtower = "^0.8.0"
 sqlalchemy-utils = "^0.36.8"
 jwcrypto = "^0.8"
 yacron = "^0.11.1"
 flask-debugtoolbar = "^0.11.0"
 requests_oauthlib = "^1.3.0"
 pyopenssl = "^19.1.0"
 aiosmtpd = "^1.2"
 dnspython = "^2.0.0"
 coloredlogs = "^14.0"
 pycryptodome = "^3.9.8"
 phpserialize = "^1.3"
 dkimpy = "^1.0.5"
 pyotp = "^2.4.0"
 flask_profiler = "^1.8.1"
 facebook-sdk = "^3.1.0"
 google-api-python-client = "^1.12.3"
 google-auth-httplib2 = "^0.0.4"
 python-gnupg = "^0.4.6"
 webauthn = "^0.4.7"
 pyspf = "^2.0.14"
 Flask-Limiter = "^1.4"
 memory_profiler = "^0.57.0"
 gevent = "22.10.2"
 email_validator = "^1.1.1"
 PGPy = "0.5.4"
 coinbase-commerce = "^1.0.1"
 requests = "^2.25.1"
 newrelic = "8.8.0"
 flanker = "^0.9.11"
 pyre2 = "^0.3.6"
 tldextract = "^3.1.2"
 flask-debugtoolbar-sqlalchemy = "^0.2.0"
 twilio = "^7.3.2"
 Deprecated = "^1.2.13"
 cryptography = "37.0.1"
 SQLAlchemy = "1.3.24"
 redis = "^4.5.3"
 newrelic-telemetry-sdk = "^0.5.0"
 aiospamc = "0.10"
 [tool.poetry.dev-dependencies]
 pytest = "^7.0.0"
 pytest-cov = "^3.0.0"
 black = "^22.1.0"
 djlint = "^1.3.0"
 pylint = "^2.14.4"
 [tool.poetry.group.dev.dependencies]
 ruff = "^0.1.5"
 pre-commit = "^3.8.0"
 [build-system]
-requires = ["poetry>=0.12"]
+requires = ["hatchling"]
-build-backend = "poetry.masonry.api"
+build-backend = "hatchling.build"
 [tool.hatch.metadata]
 allow-direct-references = true
 [tool.hatch.build.targets.sdist]
 include = ["app", "local_data", "migrations", "templates"]
 [tool.hatch.build.targets.wheel]
 packages = ["app", "local_data", "migrations", "templates"]
--- a/app/requirements-dev.lock
+++ b/app/requirements-dev.lock
@ -0,0 +1,469 @@
 # generated by rye
 # use `rye lock` or `rye sync` to update this lockfile
 #
 # last locked with the following flags:
 #   pre: false
 #   features: []
 #   all-features: false
 #   with-sources: false
 #   generate-hashes: false
 #   universal: false
 -e file:.
 aiohappyeyeballs==2.4.4
    # via aiohttp
 aiohttp==3.11.11
    # via yacron
 aiosignal==1.3.2
    # via aiohttp
 aiosmtpd==1.4.6
    # via simplelogin
 aiosmtplib==3.0.2
    # via yacron
 aiospamc==0.10.0
    # via simplelogin
 alembic==1.14.0
    # via flask-migrate
 appnope==0.1.4
    # via ipython
 arrow==0.16.0
    # via simplelogin
 astroid==2.11.7
    # via pylint
 async-timeout==5.0.1
    # via aiohttp
    # via redis
 atpublic==5.0
    # via aiosmtpd
 attrs==24.3.0
    # via aiohttp
    # via aiosmtpd
    # via flanker
    # via pytest
 backcall==0.2.0
    # via ipython
 bcrypt==3.2.2
    # via simplelogin
 black==22.1.0
 blinker==1.9.0
    # via flask-debugtoolbar
    # via simplelogin
 boto3==1.35.99
    # via simplelogin
    # via watchtower
 botocore==1.35.99
    # via boto3
    # via s3transfer
 cachetools==5.5.0
    # via google-auth
 cbor2==5.6.5
    # via webauthn
 certifi==2024.12.14
    # via aiospamc
    # via requests
    # via sentry-sdk
 cffi==1.17.1
    # via bcrypt
    # via cryptography
 cfgv==3.4.0
    # via pre-commit
 chardet==4.0.0
    # via flanker
    # via requests
 click==8.1.8
    # via black
    # via djlint
    # via flask
    # via typer
 coinbase-commerce==1.0.1
    # via simplelogin
 colorama==0.4.6
    # via djlint
 coloredlogs==14.3
    # via simplelogin
 coverage==7.6.10
    # via pytest-cov
 crontab==0.22.8
    # via yacron
 cryptography==37.0.4
    # via flanker
    # via jwcrypto
    # via pgpy
    # via pyopenssl
    # via simplelogin
    # via webauthn
 decorator==5.1.1
    # via ipython
 deprecated==1.2.15
    # via jwcrypto
    # via limits
    # via simplelogin
 dill==0.3.9
    # via pylint
 distlib==0.3.9
    # via virtualenv
 djlint==1.3.0
 dkimpy==1.0.6
    # via simplelogin
 dnspython==2.6.1
    # via dkimpy
    # via email-validator
    # via simplelogin
 email-validator==1.1.3
    # via simplelogin
 facebook-sdk==3.1.0
    # via simplelogin
 filelock==3.16.1
    # via tldextract
    # via virtualenv
 flanker==0.9.11
    # via simplelogin
 flask==1.1.2
    # via flask-admin
    # via flask-cors
    # via flask-debugtoolbar
    # via flask-httpauth
    # via flask-limiter
    # via flask-login
    # via flask-migrate
    # via flask-profiler
    # via flask-sqlalchemy
    # via flask-wtf
    # via simplelogin
 flask-admin==1.5.8
    # via simplelogin
 flask-cors==3.0.10
    # via simplelogin
 flask-debugtoolbar==0.11.0
    # via flask-debugtoolbar-sqlalchemy
    # via simplelogin
 flask-debugtoolbar-sqlalchemy==0.2.0
    # via simplelogin
 flask-httpauth==4.8.0
    # via flask-profiler
 flask-limiter==1.4
    # via simplelogin
 flask-login==0.5.0
    # via simplelogin
 flask-migrate==2.5.3
    # via simplelogin
 flask-profiler==1.8.1
    # via simplelogin
 flask-sqlalchemy==2.5.1
    # via flask-migrate
 flask-wtf==0.14.3
    # via simplelogin
 frozenlist==1.5.0
    # via aiohttp
    # via aiosignal
 future==1.0.0
    # via webauthn
 gevent==24.11.1
    # via simplelogin
 google-api-core==2.24.0
    # via google-api-python-client
 google-api-python-client==1.12.11
    # via simplelogin
 google-auth==2.37.0
    # via google-api-core
    # via google-api-python-client
    # via google-auth-httplib2
 google-auth-httplib2==0.0.4
    # via google-api-python-client
    # via simplelogin
 googleapis-common-protos==1.66.0
    # via google-api-core
 greenlet==3.1.1
    # via gevent
 gunicorn==20.0.4
    # via simplelogin
 html-tag-names==0.1.2
    # via djlint
 html-void-elements==0.1.0
    # via djlint
 httplib2==0.22.0
    # via google-api-python-client
    # via google-auth-httplib2
 humanfriendly==10.0
    # via coloredlogs
 identify==2.6.5
    # via pre-commit
 idna==2.10
    # via email-validator
    # via flanker
    # via requests
    # via tldextract
    # via yarl
 importlib-metadata==4.13.0
    # via djlint
 iniconfig==2.0.0
    # via pytest
 ipython==7.31.1
    # via simplelogin
 isort==5.13.2
    # via pylint
 itsdangerous==1.1.0
    # via flask
    # via flask-debugtoolbar
    # via flask-wtf
    # via simplelogin
 jedi==0.19.2
    # via ipython
 jinja2==2.11.3
    # via flask
    # via yacron
 jmespath==1.0.1
    # via boto3
    # via botocore
 jwcrypto==0.9.1
    # via simplelogin
 lazy-object-proxy==1.10.0
    # via astroid
 limits==4.0.0
    # via flask-limiter
 loguru==0.7.3
    # via aiospamc
 mako==1.3.8
    # via alembic
 markupsafe==1.1.1
    # via jinja2
    # via mako
    # via simplelogin
    # via wtforms
 matplotlib-inline==0.1.7
    # via ipython
 mccabe==0.7.0
    # via pylint
 memory-profiler==0.57.0
    # via simplelogin
 multidict==6.1.0
    # via aiohttp
    # via yarl
 mypy-extensions==1.0.0
    # via black
 newrelic==8.8.1
    # via simplelogin
 newrelic-telemetry-sdk==0.5.1
    # via simplelogin
 nodeenv==1.9.1
    # via pre-commit
 oauthlib==3.2.2
    # via requests-oauthlib
 packaging==24.2
    # via limits
    # via pytest
 parso==0.8.4
    # via jedi
 pathspec==0.9.0
    # via black
    # via djlint
 pexpect==4.9.0
    # via ipython
 pgpy==0.5.4
    # via simplelogin
 phpserialize==1.3
    # via simplelogin
 pickleshare==0.7.5
    # via ipython
 platformdirs==4.3.6
    # via black
    # via pylint
    # via virtualenv
 pluggy==1.5.0
    # via pytest
 ply==3.11
    # via flanker
 pre-commit==2.17.0
 prompt-toolkit==3.0.48
    # via ipython
 propcache==0.2.1
    # via aiohttp
    # via yarl
 proto-plus==1.25.0
    # via google-api-core
 protobuf==5.29.3
    # via google-api-core
    # via googleapis-common-protos
    # via proto-plus
 psutil==6.1.1
    # via memory-profiler
 psycopg2-binary==2.9.10
    # via simplelogin
 ptyprocess==0.7.0
    # via pexpect
 py==1.11.0
    # via pytest
 pyasn1==0.6.1
    # via pgpy
    # via pyasn1-modules
    # via rsa
 pyasn1-modules==0.4.1
    # via google-auth
 pycparser==2.22
    # via cffi
 pycryptodome==3.9.9
    # via simplelogin
 pygments==2.19.1
    # via flask-debugtoolbar-sqlalchemy
    # via ipython
 pyjwt==2.10.1
    # via twilio
 pylint==2.14.5
 pyopenssl==19.1.0
    # via simplelogin
    # via webauthn
 pyotp==2.4.1
    # via simplelogin
 pyparsing==3.2.1
    # via httplib2
 pyre2==0.3.6
    # via simplelogin
 pyspf==2.0.14
    # via simplelogin
 pytest==7.0.1
    # via pytest-cov
 pytest-cov==3.0.0
 python-dateutil==2.9.0.post0
    # via arrow
    # via botocore
    # via strictyaml
 python-dotenv==0.14.0
    # via simplelogin
 python-gnupg==0.4.9
    # via simplelogin
 pytz==2024.2
    # via twilio
    # via yacron
 pyyaml==6.0.2
    # via djlint
    # via pre-commit
 redis==4.5.5
    # via simplelogin
 regex==2022.10.31
    # via djlint
    # via flanker
 requests==2.25.1
    # via coinbase-commerce
    # via facebook-sdk
    # via google-api-core
    # via requests-file
    # via requests-oauthlib
    # via simplelogin
    # via tldextract
    # via twilio
 requests-file==2.1.0
    # via tldextract
 requests-oauthlib==1.3.1
    # via simplelogin
 rsa==4.9
    # via google-auth
 ruamel-yaml==0.17.4
    # via yacron
 ruff==0.1.15
 s3transfer==0.10.4
    # via boto3
 sentry-sdk==2.20.0
    # via simplelogin
    # via yacron
 setuptools==75.8.0
    # via astroid
    # via gunicorn
    # via ipython
    # via zope-event
    # via zope-interface
 simplejson==3.19.3
    # via flask-profiler
 six==1.17.0
    # via coinbase-commerce
    # via flanker
    # via flask-cors
    # via flask-limiter
    # via google-api-python-client
    # via google-auth-httplib2
    # via jwcrypto
    # via pgpy
    # via pyopenssl
    # via python-dateutil
    # via sqlalchemy-utils
    # via webauthn
 sqlalchemy==1.3.24
    # via alembic
    # via flask-debugtoolbar-sqlalchemy
    # via flask-sqlalchemy
    # via simplelogin
    # via sqlalchemy-utils
 sqlalchemy-utils==0.36.8
    # via simplelogin
 sqlparse==0.5.3
    # via flask-debugtoolbar-sqlalchemy
 strictyaml==1.7.3
    # via yacron
 tld==0.13
    # via flanker
 tldextract==3.1.2
    # via simplelogin
 toml==0.10.2
    # via pre-commit
 tomli==2.2.1
    # via black
    # via coverage
    # via djlint
    # via pylint
    # via pytest
 tomlkit==0.13.2
    # via pylint
 tqdm==4.67.1
    # via djlint
 traitlets==5.14.3
    # via ipython
    # via matplotlib-inline
 twilio==7.3.2
    # via simplelogin
 typer==0.9.4
    # via aiospamc
 typing-extensions==4.12.2
    # via aiospamc
    # via alembic
    # via limits
    # via multidict
    # via typer
 unidecode==1.1.2
    # via simplelogin
 uritemplate==3.0.1
    # via google-api-python-client
 urllib3==1.26.20
    # via botocore
    # via newrelic-telemetry-sdk
    # via requests
    # via sentry-sdk
 virtualenv==20.29.0
    # via pre-commit
 watchtower==0.8.0
    # via simplelogin
 wcwidth==0.2.13
    # via prompt-toolkit
 webauthn==0.4.7
    # via simplelogin
 webob==1.8.9
    # via flanker
 werkzeug==1.0.1
    # via flask
    # via flask-debugtoolbar
    # via simplelogin
 wrapt==1.17.2
    # via astroid
    # via deprecated
 wtforms==2.3.3
    # via flask-admin
    # via flask-wtf
    # via simplelogin
 yacron==0.19.0
    # via simplelogin
 yarl==1.18.3
    # via aiohttp
 zipp==3.21.0
    # via importlib-metadata
 zope-event==5.0
    # via gevent
 zope-interface==7.2
    # via gevent
--- a/app/requirements.lock
+++ b/app/requirements.lock
@ -0,0 +1,392 @@
 # generated by rye
 # use `rye lock` or `rye sync` to update this lockfile
 #
 # last locked with the following flags:
 #   pre: false
 #   features: []
 #   all-features: false
 #   with-sources: false
 #   generate-hashes: false
 #   universal: false
 -e file:.
 aiohttp==3.8.4
    # via google-auth
    # via yacron
 aiosignal==1.2.0
    # via aiohttp
 aiosmtpd==1.4.2
    # via simplelogin
 aiosmtplib==1.1.4
    # via yacron
 aiospamc==0.10.0
    # via simplelogin
 alembic==1.4.3
    # via flask-migrate
 appnope==0.1.0
    # via ipython
 arrow==0.16.0
    # via simplelogin
 async-timeout==4.0.2
    # via aiohttp
    # via redis
 atpublic==2.0
    # via aiosmtpd
 attrs==20.2.0
    # via aiohttp
    # via aiosmtpd
    # via flanker
 backcall==0.2.0
    # via ipython
 bcrypt==3.2.0
    # via simplelogin
 blinker==1.4
    # via flask-debugtoolbar
    # via simplelogin
 boto3==1.35.99
    # via simplelogin
    # via watchtower
 botocore==1.35.99
    # via boto3
    # via s3transfer
 cachetools==4.1.1
    # via google-auth
 cbor2==5.2.0
    # via webauthn
 certifi==2019.11.28
    # via aiospamc
    # via requests
    # via sentry-sdk
 cffi==1.14.4
    # via bcrypt
    # via cryptography
 chardet==3.0.4
    # via flanker
    # via requests
 charset-normalizer==3.4.1
    # via aiohttp
 click==8.0.3
    # via flask
    # via typer
 coinbase-commerce==1.0.1
    # via simplelogin
 coloredlogs==14.0
    # via simplelogin
 crontab==0.22.8
    # via yacron
 cryptography==37.0.1
    # via flanker
    # via jwcrypto
    # via pgpy
    # via pyopenssl
    # via simplelogin
    # via webauthn
 decorator==4.4.2
    # via ipython
 deprecated==1.2.13
    # via simplelogin
 dkimpy==1.0.5
    # via simplelogin
 dnspython==2.6.1
    # via dkimpy
    # via email-validator
    # via simplelogin
 email-validator==1.1.3
    # via simplelogin
 facebook-sdk==3.1.0
    # via simplelogin
 filelock==3.15.4
    # via tldextract
 flanker==0.9.11
    # via simplelogin
 flask==1.1.2
    # via flask-admin
    # via flask-cors
    # via flask-debugtoolbar
    # via flask-httpauth
    # via flask-limiter
    # via flask-login
    # via flask-migrate
    # via flask-profiler
    # via flask-sqlalchemy
    # via flask-wtf
    # via simplelogin
 flask-admin==1.5.7
    # via simplelogin
 flask-cors==3.0.9
    # via simplelogin
 flask-debugtoolbar==0.11.0
    # via flask-debugtoolbar-sqlalchemy
    # via simplelogin
 flask-debugtoolbar-sqlalchemy==0.2.0
    # via simplelogin
 flask-httpauth==4.1.0
    # via flask-profiler
 flask-limiter==1.4
    # via simplelogin
 flask-login==0.5.0
    # via simplelogin
 flask-migrate==2.5.3
    # via simplelogin
 flask-profiler==1.8.1
    # via simplelogin
 flask-sqlalchemy==2.5.1
    # via flask-migrate
 flask-wtf==0.14.3
    # via simplelogin
 frozenlist==1.3.3
    # via aiohttp
    # via aiosignal
 future==0.18.3
    # via webauthn
 gevent==24.11.1
    # via simplelogin
 google-api-core==1.22.2
    # via google-api-python-client
 google-api-python-client==1.12.3
    # via simplelogin
 google-auth==1.22.0
    # via google-api-core
    # via google-api-python-client
    # via google-auth-httplib2
 google-auth-httplib2==0.0.4
    # via google-api-python-client
    # via simplelogin
 googleapis-common-protos==1.52.0
    # via google-api-core
 greenlet==3.1.1
    # via gevent
 gunicorn==20.0.4
    # via simplelogin
 httplib2==0.22.0
    # via google-api-python-client
    # via google-auth-httplib2
 humanfriendly==8.2
    # via coloredlogs
 idna==2.10
    # via email-validator
    # via flanker
    # via requests
    # via tldextract
    # via yarl
 ipython==7.31.1
    # via simplelogin
 ipython-genutils==0.2.0
    # via traitlets
 itsdangerous==1.1.0
    # via flask
    # via flask-debugtoolbar
    # via flask-wtf
    # via simplelogin
 jedi==0.17.2
    # via ipython
 jinja2==2.11.3
    # via flask
    # via yacron
 jmespath==0.10.0
    # via boto3
    # via botocore
 jwcrypto==0.8
    # via simplelogin
 limits==1.5.1
    # via flask-limiter
 loguru==0.7.2
    # via aiospamc
 mako==1.2.4
    # via alembic
 markupsafe==1.1.1
    # via jinja2
    # via mako
    # via simplelogin
    # via wtforms
 matplotlib-inline==0.1.3
    # via ipython
 memory-profiler==0.57.0
    # via simplelogin
 multidict==4.7.6
    # via aiohttp
    # via yarl
 newrelic==8.8.0
    # via simplelogin
 newrelic-telemetry-sdk==0.5.0
    # via simplelogin
 oauthlib==3.1.0
    # via requests-oauthlib
 parso==0.7.1
    # via jedi
 pexpect==4.8.0
    # via ipython
 pgpy==0.5.4
    # via simplelogin
 phpserialize==1.3
    # via simplelogin
 pickleshare==0.7.5
    # via ipython
 ply==3.11
    # via flanker
 prompt-toolkit==3.0.7
    # via ipython
 protobuf==5.27.1
    # via google-api-core
    # via googleapis-common-protos
 psutil==5.7.2
    # via memory-profiler
 psycopg2-binary==2.9.3
    # via simplelogin
 ptyprocess==0.6.0
    # via pexpect
 pyasn1==0.4.8
    # via pgpy
    # via pyasn1-modules
    # via rsa
 pyasn1-modules==0.2.8
    # via google-auth
 pycparser==2.20
    # via cffi
 pycryptodome==3.9.8
    # via simplelogin
 pygments==2.7.4
    # via flask-debugtoolbar-sqlalchemy
    # via ipython
 pyjwt==2.4.0
    # via twilio
 pyopenssl==19.1.0
    # via simplelogin
    # via webauthn
 pyotp==2.4.0
    # via simplelogin
 pyparsing==2.4.7
    # via httplib2
 pyre2==0.3.6
    # via simplelogin
 pyspf==2.0.14
    # via simplelogin
 python-dateutil==2.8.1
    # via alembic
    # via arrow
    # via botocore
    # via strictyaml
 python-dotenv==0.14.0
    # via simplelogin
 python-editor==1.0.4
    # via alembic
 python-gnupg==0.4.6
    # via simplelogin
 pytz==2020.1
    # via google-api-core
    # via twilio
    # via yacron
 redis==4.5.5
    # via simplelogin
 regex==2023.12.25
    # via flanker
 requests==2.25.1
    # via coinbase-commerce
    # via facebook-sdk
    # via google-api-core
    # via requests-file
    # via requests-oauthlib
    # via simplelogin
    # via tldextract
    # via twilio
 requests-file==1.5.1
    # via tldextract
 requests-oauthlib==1.3.0
    # via simplelogin
 rsa==4.6
    # via google-auth
 ruamel-yaml==0.17.4
    # via strictyaml
    # via yacron
 s3transfer==0.10.4
    # via boto3
 sentry-sdk==2.20.0
    # via simplelogin
    # via yacron
 setuptools==67.6.0
    # via google-api-core
    # via google-auth
    # via gunicorn
    # via ipython
    # via zope-event
    # via zope-interface
 simplejson==3.17.2
    # via flask-profiler
 six==1.15.0
    # via bcrypt
    # via coinbase-commerce
    # via flanker
    # via flask-cors
    # via flask-limiter
    # via google-api-core
    # via google-api-python-client
    # via google-auth
    # via google-auth-httplib2
    # via limits
    # via pgpy
    # via pyopenssl
    # via python-dateutil
    # via requests-file
    # via sqlalchemy-utils
    # via webauthn
 sqlalchemy==1.3.24
    # via alembic
    # via flask-debugtoolbar-sqlalchemy
    # via flask-sqlalchemy
    # via simplelogin
    # via sqlalchemy-utils
 sqlalchemy-utils==0.36.8
    # via simplelogin
 sqlparse==0.4.4
    # via flask-debugtoolbar-sqlalchemy
 strictyaml==1.1.0
    # via yacron
 tld==0.12.6
    # via flanker
 tldextract==3.1.2
    # via simplelogin
 traitlets==5.0.4
    # via ipython
    # via matplotlib-inline
 twilio==7.3.2
    # via simplelogin
 typer==0.9.0
    # via aiospamc
 typing-extensions==4.8.0
    # via aiospamc
    # via typer
 unidecode==1.1.1
    # via simplelogin
 uritemplate==3.0.1
    # via google-api-python-client
 urllib3==1.26.20
    # via botocore
    # via newrelic-telemetry-sdk
    # via requests
    # via sentry-sdk
 watchtower==0.8.0
    # via simplelogin
 wcwidth==0.2.5
    # via prompt-toolkit
 webauthn==0.4.7
    # via simplelogin
 webob==1.8.7
    # via flanker
 werkzeug==1.0.1
    # via flask
    # via flask-debugtoolbar
    # via simplelogin
 wrapt==1.15.0
    # via deprecated
 wtforms==2.3.3
    # via flask-admin
    # via flask-wtf
    # via simplelogin
 yacron==0.19.0
    # via simplelogin
 yarl==1.9.2
    # via aiohttp
 zope-event==5.0
    # via gevent
 zope-interface==7.2
    # via gevent
--- a/app/scripts/new-migration.sh
+++ b/app/scripts/new-migration.sh
@ -12,10 +12,10 @@ docker run -p 25432:5432 --name ${container_name} -e POSTGRES_PASSWORD=postgres
 sleep 3
 # upgrade the DB to the latest stage and
-env DB_URI=postgresql://postgres:postgres@127.0.0.1:25432/sl poetry run alembic upgrade head
+env DB_URI=postgresql://postgres:postgres@127.0.0.1:25432/sl uv run alembic upgrade head
 # generate the migration script.
-env DB_URI=postgresql://postgres:postgres@127.0.0.1:25432/sl poetry run alembic revision --autogenerate $@
+env DB_URI=postgresql://postgres:postgres@127.0.0.1:25432/sl uv run alembic revision --autogenerate $@
 # remove the db
 docker rm -f ${container_name}
--- a/app/scripts/reset_local_db.sh
+++ b/app/scripts/reset_local_db.sh
@ -3,5 +3,5 @@
 export DB_URI=postgresql://myuser:mypassword@localhost:15432/simplelogin
 echo 'drop schema public cascade; create schema public;' | psql  $DB_URI
-poetry run alembic upgrade head
+uv run alembic upgrade head
-poetry run flask dummy-data
+uv run flask dummy-data
--- a/app/scripts/reset_test_db.sh
+++ b/app/scripts/reset_test_db.sh
@ -3,4 +3,4 @@
 export DB_URI=postgresql://myuser:mypassword@localhost:15432/test
 echo 'drop schema public cascade; create schema public;' | psql  $DB_URI
-poetry run alembic upgrade head
+uv run alembic upgrade head
--- a/app/scripts/run-test.sh
+++ b/app/scripts/run-test.sh
@ -10,10 +10,10 @@ docker run -d --name sl-test-db -e POSTGRES_PASSWORD=test -e POSTGRES_USER=test
 sleep 3
 # migrate the DB to the latest version
-CONFIG=tests/test.env poetry run alembic upgrade head
+CONFIG=tests/test.env uv run alembic upgrade head
 # run test
-poetry run pytest -c pytest.ci.ini
+uv run pytest -c pytest.ci.ini
 # Delete the test DB
 docker rm -f sl-test-db
--- a/app/tests/api/test_alias.py
+++ b/app/tests/api/test_alias.py
@ -549,7 +549,7 @@ def test_create_contact_route_free_users(flask_client):
    assert r.status_code == 201
    # End trial and disallow for new free users. Config should allow it
-    user.flags = User.FLAG_DISABLE_CREATE_CONTACTS
+    user.flags = User.FLAG_FREE_DISABLE_CREATE_CONTACTS
    Session.commit()
    r = flask_client.post(
        url_for("api.create_contact_route", alias_id=alias.id),
--- a/app/tests/dashboard/test_coupon.py
+++ b/app/tests/dashboard/test_coupon.py
@ -1,10 +1,11 @@
 from flask import url_for
-from app.models import Coupon
+
 from app.models import Coupon, LifetimeCoupon
 from app.utils import random_string
 from tests.utils import login
-def test_use_coupon(flask_client):
+def test_redeem_coupon_without_subscription(flask_client):
    user = login(flask_client)
    code = random_string(10)
    Coupon.create(code=code, nb_year=1, commit=True)
@ -14,7 +15,22 @@ def test_use_coupon(flask_client):
        data={"code": code},
    )
-    assert r.status_code == 302
+    assert r.status_code == 200
    coupon = Coupon.get_by(code=code)
    assert coupon.used
    assert coupon.used_by_user_id == user.id
 def test_redeem_lifetime_coupon(flask_client):
    login(flask_client)
    code = random_string(10)
    LifetimeCoupon.create(code=code, nb_used=1, commit=True)
    r = flask_client.post(
        url_for("dashboard.lifetime_licence"),
        data={"code": code},
    )
    assert r.status_code == 302
    coupon = LifetimeCoupon.get_by(code=code)
    assert coupon.nb_used == 0
--- a/app/tests/example_emls/multi_reply_to.eml
+++ b/app/tests/example_emls/multi_reply_to.eml
@ -0,0 +1,21 @@
 X-SimpleLogin-Client-IP: 54.39.200.130
 Received-SPF: Softfail (mailfrom) identity=mailfrom; client-ip=34.59.200.130;
 helo=relay.somewhere.net; envelope-from=everwaste@gmail.com;
 receiver=<UNKNOWN>
 Received: from relay.somewhere.net (relay.somewhere.net [34.59.200.130])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by mx1.sldev.ovh (Postfix) with ESMTPS id 6D8C13F069
        for <wehrman_mannequin@sldev.ovh>; Thu, 17 Mar 2022 16:50:20 +0000 (UTC)
 Date: Thu, 17 Mar 2022 16:50:18 +0000
 To: {{ alias_email }}
 From: somewhere@rainbow.com
 Reply-To: 666-Mail Test <a1@mailcstest.com>, 777-Mail Test <a2@mailcstest.com>,
  888-Mail Test <a3@mailcstest.com>, - 5 at mailcstest.com" <a4@simplelogin.co>
 Subject: test Thu, 17 Mar 2022 16:50:18 +0000
 Message-Id: <20220317165018.000191@somewhere-5488dd4b6b-7crp6>
 X-Mailer: swaks v20201014.0 jetmore.org/john/code/swaks/
 X-Rspamd-Queue-Id: 6D8C13F069
 X-Rspamd-Server: staging1
 This is a test mailing
--- a/app/tests/handler/test_reply_to.py
+++ b/app/tests/handler/test_reply_to.py
@ -0,0 +1,33 @@
 from aiosmtpd.smtp import Envelope
 import email_handler
 from app.email import status, headers
 from app.email_utils import get_header_unicode, parse_full_address
 from app.mail_sender import mail_sender
 from app.models import Alias, Contact
 from tests.utils import create_new_user, load_eml_file
@mail_sender.store_emails_test_decorator
 def test_multi_reply_to():
    user = create_new_user()
    alias = Alias.create_new_random(user)
    envelope = Envelope()
    envelope.mail_from = "env.somewhere"
    envelope.rcpt_tos = [alias.email]
    msg = load_eml_file("multi_reply_to.eml", {"alias_email": alias.email})
    alias_id = alias.id
    result = email_handler.MailHandler()._handle(envelope, msg)
    assert result == status.E200
    sent_emails = mail_sender.get_stored_emails()
    assert 1 == len(sent_emails)
    msg = sent_emails[0].msg
    reply_to = get_header_unicode(msg[headers.REPLY_TO])
    entries = reply_to.split(",")
    assert 4 == len(entries)
    for entry in entries:
        dummy, email = parse_full_address(entry)
        contact = Contact.get_by(reply_email=email)
        assert contact is not None
        assert contact.alias_id == alias_id
--- a/app/tests/test_contact_utils.py
+++ b/app/tests/test_contact_utils.py
@ -135,7 +135,7 @@ def test_create_contact_free_user():
    assert result.contact is not None
    assert not result.contact.automatic_created
    # Free users with the flag should be able to still create automatic emails
-    user.flags = User.FLAG_DISABLE_CREATE_CONTACTS
+    user.flags = User.FLAG_FREE_DISABLE_CREATE_CONTACTS
    Session.flush()
    result = create_contact(random_email(), alias, automatic_created=True)
    assert result.error is None
--- a/app/tests/test_coupon_utils.py
+++ b/app/tests/test_coupon_utils.py
@ -0,0 +1,159 @@
 import arrow
 import pytest
 from app.coupon_utils import (
    redeem_coupon,
    CouponUserCannotRedeemError,
    redeem_lifetime_coupon,
 )
 from app.models import (
    Coupon,
    Subscription,
    ManualSubscription,
    AppleSubscription,
    CoinbaseSubscription,
    LifetimeCoupon,
    User,
 )
 from tests.utils import create_new_user, random_string
 def test_use_coupon():
    user = create_new_user()
    code = random_string(10)
    Coupon.create(code=code, nb_year=1, commit=True)
    coupon = redeem_coupon(code, user)
    assert coupon
    coupon = Coupon.get_by(code=code)
    assert coupon
    assert coupon.used
    assert coupon.used_by_user_id == user.id
    sub = user.get_active_subscription()
    assert isinstance(sub, ManualSubscription)
    left = sub.end_at - arrow.utcnow()
    assert left.days > 364
 def test_use_coupon_extend_manual_sub():
    user = create_new_user()
    initial_end = arrow.now().shift(days=15)
    ManualSubscription.create(
        user_id=user.id,
        end_at=initial_end,
        flush=True,
    )
    code = random_string(10)
    Coupon.create(code=code, nb_year=1, commit=True)
    coupon = redeem_coupon(code, user)
    assert coupon
    coupon = Coupon.get_by(code=code)
    assert coupon
    assert coupon.used
    assert coupon.used_by_user_id == user.id
    sub = user.get_active_subscription()
    assert isinstance(sub, ManualSubscription)
    left = sub.end_at - initial_end
    assert left.days > 364
 def test_coupon_with_subscription():
    user = create_new_user()
    end_at = arrow.utcnow().shift(days=1).replace(hour=0, minute=0, second=0)
    Subscription.create(
        user_id=user.id,
        cancel_url="",
        update_url="",
        subscription_id=random_string(10),
        event_time=arrow.now(),
        next_bill_date=end_at.date(),
        plan="yearly",
        flush=True,
    )
    with pytest.raises(CouponUserCannotRedeemError):
        redeem_coupon("", user)
 def test_webhook_with_apple_subscription():
    user = create_new_user()
    end_at = arrow.utcnow().shift(days=2).replace(hour=0, minute=0, second=0)
    AppleSubscription.create(
        user_id=user.id,
        receipt_data=arrow.now().date().strftime("%Y-%m-%d"),
        expires_date=end_at.date().strftime("%Y-%m-%d"),
        original_transaction_id=random_string(10),
        plan="yearly",
        product_id="",
        flush=True,
    )
    with pytest.raises(CouponUserCannotRedeemError):
        redeem_coupon("", user)
 def test_webhook_with_coinbase_subscription():
    user = create_new_user()
    end_at = arrow.utcnow().shift(days=3).replace(hour=0, minute=0, second=0)
    CoinbaseSubscription.create(
        user_id=user.id, end_at=end_at.date().strftime("%Y-%m-%d"), flush=True
    )
    with pytest.raises(CouponUserCannotRedeemError):
        redeem_coupon("", user)
 def test_expired_coupon():
    user = create_new_user()
    code = random_string(10)
    Coupon.create(
        code=code, nb_year=1, commit=True, expires_date=arrow.utcnow().shift(days=-1)
    )
    coupon = redeem_coupon(code, user)
    assert coupon is None
 def test_used_coupon():
    user = create_new_user()
    code = random_string(10)
    Coupon.create(code=code, nb_year=1, commit=True, used=True)
    coupon = redeem_coupon(code, user)
    assert coupon is None
 # Lifetime
 def test_lifetime_coupon():
    user = create_new_user()
    code = random_string(10)
    LifetimeCoupon.create(code=code, nb_used=1)
    coupon = redeem_lifetime_coupon(code, user)
    assert coupon
    user = User.get(user.id)
    assert user.lifetime
    assert not user.paid_lifetime
 def test_lifetime_paid_coupon():
    user = create_new_user()
    code = random_string(10)
    LifetimeCoupon.create(code=code, nb_used=1, paid=True)
    coupon = redeem_lifetime_coupon(code, user)
    assert coupon
    user = User.get(user.id)
    assert user.lifetime
    assert user.paid_lifetime
 def test_used_lifetime_coupon():
    user = create_new_user()
    code = random_string(10)
    LifetimeCoupon.create(code=code, nb_used=0, paid=True)
    coupon = redeem_lifetime_coupon(code, user)
    assert coupon is None
    user = User.get(user.id)
    assert not user.lifetime
    assert not user.paid_lifetime
--- a/app/tests/test_email_handler.py
+++ b/app/tests/test_email_handler.py
@ -2,6 +2,7 @@ import random
 from email.message import EmailMessage
 from typing import List
 import arrow
 import pytest
 from aiosmtpd.smtp import Envelope
@ -387,3 +388,15 @@ def test_preserve_headers(flask_client):
    msg = sent_mails[0].msg
    for header in headers_to_keep:
        assert msg[header] == header + "keep"
 def test_not_send_to_pending_to_delete_users(flask_client):
    user = create_new_user()
    alias = Alias.create_new_random(user)
    user.delete_on = arrow.utcnow()
    envelope = Envelope()
    envelope.mail_from = "somewhere@lo.cal"
    envelope.rcpt_tos = [alias.email]
    msg = EmailMessage()
    result = email_handler.handle(envelope, msg)
    assert result == status.E504
--- a/app/tests/test_mailbox_utils.py
+++ b/app/tests/test_mailbox_utils.py
@ -1,3 +1,4 @@
 import re
 from typing import Optional
 import arrow
@ -6,7 +7,11 @@ import pytest
 from app import mailbox_utils, config
 from app.db import Session
 from app.mail_sender import mail_sender
-from app.mailbox_utils import MailboxEmailChangeError, get_mailbox_for_reply_phase
+from app.mailbox_utils import (
    MailboxEmailChangeError,
    get_mailbox_for_reply_phase,
    request_mailbox_email_change,
 )
 from app.models import (
    Mailbox,
    MailboxActivation,
@ -361,6 +366,24 @@ def test_verify_ok():
    assert mailbox.verified
@mail_sender.store_emails_test_decorator
 def test_verify_ok_for_mailbox_email_change():
    out_create = mailbox_utils.create_mailbox(user, random_email(), verified=True)
    mailbox_id = out_create.mailbox.id
    new_email = f"new{out_create.mailbox.email}"
    out_change = mailbox_utils.request_mailbox_email_change(
        user, out_create.mailbox, new_email
    )
    assert out_change.activation.code is not None
    mailbox_utils.verify_mailbox_code(user, mailbox_id, out_change.activation.code)
    activation = MailboxActivation.get_by(mailbox_id=out_create.mailbox.id)
    assert activation is None
    mailbox = Mailbox.get(id=out_create.mailbox.id)
    assert mailbox.verified
    assert mailbox.email == new_email
    assert mailbox.new_email is None
 # perform_mailbox_email_change
 def test_perform_mailbox_email_change_invalid_id():
    res = mailbox_utils.perform_mailbox_email_change(99999)
@ -507,3 +530,71 @@ def test_get_mailbox_from_mail_from_coming_from_header_if_domain_is_not_aligned(
    mb = get_mailbox_for_reply_phase(envelope_from, mail_from, alias)
    assert mb is None
@mail_sender.store_emails_test_decorator
 def test_change_mailbox_address(flask_client):
    user = create_new_user()
    domain = f"{random_string(10)}.com"
    mail1 = f"mail_1@{domain}"
    mbox = Mailbox.create(email=mail1, user_id=user.id, verified=True, flush=True)
    mail2 = f"mail_2@{domain}"
    out = request_mailbox_email_change(user, mbox, mail2)
    changed_mailbox = Mailbox.get(mbox.id)
    assert changed_mailbox.new_email == mail2
    assert out.activation.mailbox_id == changed_mailbox.id
    assert re.match("^[0-9]+$", out.activation.code) is None
    assert 1 == len(mail_sender.get_stored_emails())
    mail_sent = mail_sender.get_stored_emails()[0]
    mail_contents = str(mail_sent.msg)
    assert mail_contents.find(config.URL) > 0
    assert mail_contents.find(out.activation.code) > 0
    assert mail_sent.envelope_to == mail2
@mail_sender.store_emails_test_decorator
 def test_change_mailbox_address_without_verification_email(flask_client):
    user = create_new_user()
    domain = f"{random_string(10)}.com"
    mail1 = f"mail_1@{domain}"
    mbox = Mailbox.create(email=mail1, user_id=user.id, verified=True, flush=True)
    mail2 = f"mail_2@{domain}"
    out = request_mailbox_email_change(user, mbox, mail2, send_email=False)
    changed_mailbox = Mailbox.get(mbox.id)
    assert changed_mailbox.new_email == mail2
    assert out.activation.mailbox_id == changed_mailbox.id
    assert re.match("^[0-9]+$", out.activation.code) is None
    assert 0 == len(mail_sender.get_stored_emails())
@mail_sender.store_emails_test_decorator
 def test_change_mailbox_address_with_code(flask_client):
    user = create_new_user()
    domain = f"{random_string(10)}.com"
    mail1 = f"mail_1@{domain}"
    mbox = Mailbox.create(email=mail1, user_id=user.id, verified=True, flush=True)
    mail2 = f"mail_2@{domain}"
    out = request_mailbox_email_change(user, mbox, mail2, use_digit_codes=True)
    changed_mailbox = Mailbox.get(mbox.id)
    assert changed_mailbox.new_email == mail2
    assert out.activation.mailbox_id == changed_mailbox.id
    assert re.match("^[0-9]+$", out.activation.code) is not None
    assert 1 == len(mail_sender.get_stored_emails())
    mail_sent = mail_sender.get_stored_emails()[0]
    mail_contents = str(mail_sent.msg)
    assert mail_contents.find(config.URL) > 0
    assert mail_contents.find(out.activation.code) > 0
    assert mail_sent.envelope_to == mail2
 def test_change_mailbox_verified_address(flask_client):
    user = create_new_user()
    domain = f"{random_string(10)}.com"
    mail1 = f"mail_1@{domain}"
    mbox = Mailbox.create(email=mail1, user_id=user.id, verified=True, flush=True)
    mail2 = f"mail_2@{domain}"
    out = request_mailbox_email_change(user, mbox, mail2, email_ownership_verified=True)
    changed_mailbox = Mailbox.get(mbox.id)
    assert changed_mailbox.email == mail2
    assert out.activation is None
    assert 0 == len(mail_sender.get_stored_emails())
--- a/app/uv.lock
+++ b/app/uv.lock
Author	SHA1	Message	Date
MrMeeb	ed37325b32	4.64.1 Some checks failed Build-Release-Image / Build-Image (linux/amd64) (push) Successful in 2m58s Details Build-Release-Image / Build-Image (linux/arm64) (push) Failing after 17m22s Details Build-Release-Image / Merge-Images (push) Has been skipped Details Build-Release-Image / Create-Release (push) Has been skipped Details Build-Release-Image / Notify (push) Has been skipped Details	2025-01-24 12:00:07 +00:00
MrMeeb	dd6005ffdf	4.64.0 Some checks failed Build-Release-Image / Build-Image (linux/amd64) (push) Successful in 3m25s Details Build-Release-Image / Build-Image (linux/arm64) (push) Failing after 14m51s Details Build-Release-Image / Merge-Images (push) Has been skipped Details Build-Release-Image / Create-Release (push) Has been skipped Details Build-Release-Image / Notify (push) Has been skipped Details	2025-01-21 12:00:08 +00:00
MrMeeb	664cd32f81	4.63.0 All checks were successful Build-Release-Image / Build-Image (linux/amd64) (push) Successful in 3m54s Details Build-Release-Image / Build-Image (linux/arm64) (push) Successful in 23m12s Details Build-Release-Image / Merge-Images (push) Successful in 46s Details Build-Release-Image / Create-Release (push) Successful in 9s Details Build-Release-Image / Notify (push) Successful in 3s Details	2025-01-20 12:00:06 +00:00