Improve alias transfer. Use alias transfer_token. Add a limiter on /alias_transfer/receive

2021-03-06 18:07:51 +01:00 · 2021-03-06 18:07:51 +01:00 · 23a0861790
parent 29afc1b6b5
commit 23a0861790
3 changed files with 52 additions and 25 deletions
--- a/app/config.py
+++ b/app/config.py
@ -173,9 +173,6 @@ FLASK_SECRET = os.environ["FLASK_SECRET"]
 SESSION_COOKIE_NAME = "slapp"
 MAILBOX_SECRET = FLASK_SECRET + "mailbox"
 CUSTOM_ALIAS_SECRET = FLASK_SECRET + "custom_alias"
-ALIAS_TRANSFER_SECRET = os.environ.get("ALIAS_TRANSFER_SECRET") or (
-    FLASK_SECRET + "alias_transfer"
-)

 # AWS
 AWS_REGION = os.environ.get("AWS_REGION") or "eu-west-3"
--- a/app/dashboard/templates/dashboard/alias_transfer_send.html
+++ b/app/dashboard/templates/dashboard/alias_transfer_send.html
@ -18,15 +18,30 @@

      <p>
        In order to transfer ownership,
-        please send the following URL 👇 to the other person.
+        please create the <b>Share URL</b> 👇 and send it to the other person.
      </p>

-      <em data-toggle="tooltip"
-          title="Click to copy"
-          class="clipboard"
-          data-clipboard-text="{{ alias_transfer_url }}">
-        {{ alias_transfer_url }}
-      </em>
+      {% if alias_transfer_url %}
+        <em data-toggle="tooltip"
+            title="Click to copy"
+            class="clipboard"
+            data-clipboard-text="{{ alias_transfer_url }}">
+          {{ alias_transfer_url }}
+        </em>
+
+        <form method="post">
+          <input type="hidden" name="form-name" value="remove">
+          <button class="btn btn-warning mt-2">Remove Share URL</button>
+          <div class="small-text">
+            If you don't want to share this alias anymore, you can remove the share URL.
+          </div>
+        </form>
+      {% else %}
+        <form method="post">
+          <input type="hidden" name="form-name" value="create">
+          <button class="btn btn-primary mt-2">Create Share URL</button>
+        </form>
+      {% endif %}

      <p class="mt-5">
        This person can then confirm the reception and become the owner of the alias.
--- a/app/dashboard/views/alias_transfer.py
+++ b/app/dashboard/views/alias_transfer.py
@ -1,12 +1,12 @@
+from uuid import uuid4
+
 from flask import render_template, redirect, url_for, flash, request
 from flask_login import login_required, current_user
-from itsdangerous import Signer

-from app.config import ALIAS_TRANSFER_SECRET
 from app.config import URL
 from app.dashboard.base import dashboard_bp
 from app.email_utils import send_email, render
-from app.extensions import db
+from app.extensions import db, limiter
 from app.log import LOG
 from app.models import (
    Alias,
@ -89,12 +89,30 @@ def alias_transfer_send_route(alias_id):
        )
        return redirect(url_for("dashboard.index"))

-    s = Signer(ALIAS_TRANSFER_SECRET)
-    alias_id_signed = s.sign(str(alias.id)).decode()
+    if alias.transfer_token:
+        alias_transfer_url = (
+                URL + "/dashboard/alias_transfer/receive" + f"?token={alias.transfer_token}"
+        )
+    else:
+        alias_transfer_url = None

-    alias_transfer_url = (
-        URL + "/dashboard/alias_transfer/receive" + f"?alias_id={alias_id_signed}"
-    )
+    # generate a new transfer_token
+    if request.method == "POST":
+        if request.form.get("form-name") == "create":
+            alias.transfer_token = str(uuid4())
+            db.session.commit()
+            alias_transfer_url = (
+                    URL + "/dashboard/alias_transfer/receive" + f"?token={alias.transfer_token}"
+            )
+            flash("Share URL created", "success")
+            return redirect(request.url)
+        # request.form.get("form-name") == "remove"
+        else:
+            alias.transfer_token = None
+            db.session.commit()
+            alias_transfer_url = None
+            flash("Share URL deleted", "success")
+            return redirect(request.url)

    return render_template(
        "dashboard/alias_transfer_send.html",
@ -104,21 +122,18 @@ def alias_transfer_send_route(alias_id):


@dashboard_bp.route("/alias_transfer/receive", methods=["GET", "POST"])
+@limiter.limit("5/minute")
@login_required
 def alias_transfer_receive_route():
    """
    URL has ?alias_id=signed_alias_id
    """
-    s = Signer(ALIAS_TRANSFER_SECRET)
-    signed_alias_id = request.args.get("alias_id")
+    token = request.args.get("token")
+    alias = Alias.get_by(transfer_token=token)

-    try:
-        alias_id = int(s.unsign(signed_alias_id))
-    except Exception:
+    if not alias:
        flash("Invalid link", "error")
        return redirect(url_for("dashboard.index"))
-    else:
-        alias = Alias.get(alias_id)

    # alias already belongs to this user
    if alias.user_id == current_user.id: