Improve alias transfer. Use alias transfer_token. Add a limiter on /alias_transfer/receive
This commit is contained in:
parent
29afc1b6b5
commit
23a0861790
|
@ -173,9 +173,6 @@ FLASK_SECRET = os.environ["FLASK_SECRET"]
|
||||||
SESSION_COOKIE_NAME = "slapp"
|
SESSION_COOKIE_NAME = "slapp"
|
||||||
MAILBOX_SECRET = FLASK_SECRET + "mailbox"
|
MAILBOX_SECRET = FLASK_SECRET + "mailbox"
|
||||||
CUSTOM_ALIAS_SECRET = FLASK_SECRET + "custom_alias"
|
CUSTOM_ALIAS_SECRET = FLASK_SECRET + "custom_alias"
|
||||||
ALIAS_TRANSFER_SECRET = os.environ.get("ALIAS_TRANSFER_SECRET") or (
|
|
||||||
FLASK_SECRET + "alias_transfer"
|
|
||||||
)
|
|
||||||
|
|
||||||
# AWS
|
# AWS
|
||||||
AWS_REGION = os.environ.get("AWS_REGION") or "eu-west-3"
|
AWS_REGION = os.environ.get("AWS_REGION") or "eu-west-3"
|
||||||
|
|
|
@ -18,9 +18,10 @@
|
||||||
|
|
||||||
<p>
|
<p>
|
||||||
In order to transfer ownership,
|
In order to transfer ownership,
|
||||||
please send the following URL 👇 to the other person.
|
please create the <b>Share URL</b> 👇 and send it to the other person.
|
||||||
</p>
|
</p>
|
||||||
|
|
||||||
|
{% if alias_transfer_url %}
|
||||||
<em data-toggle="tooltip"
|
<em data-toggle="tooltip"
|
||||||
title="Click to copy"
|
title="Click to copy"
|
||||||
class="clipboard"
|
class="clipboard"
|
||||||
|
@ -28,6 +29,20 @@
|
||||||
{{ alias_transfer_url }}
|
{{ alias_transfer_url }}
|
||||||
</em>
|
</em>
|
||||||
|
|
||||||
|
<form method="post">
|
||||||
|
<input type="hidden" name="form-name" value="remove">
|
||||||
|
<button class="btn btn-warning mt-2">Remove Share URL</button>
|
||||||
|
<div class="small-text">
|
||||||
|
If you don't want to share this alias anymore, you can remove the share URL.
|
||||||
|
</div>
|
||||||
|
</form>
|
||||||
|
{% else %}
|
||||||
|
<form method="post">
|
||||||
|
<input type="hidden" name="form-name" value="create">
|
||||||
|
<button class="btn btn-primary mt-2">Create Share URL</button>
|
||||||
|
</form>
|
||||||
|
{% endif %}
|
||||||
|
|
||||||
<p class="mt-5">
|
<p class="mt-5">
|
||||||
This person can then confirm the reception and become the owner of the alias.
|
This person can then confirm the reception and become the owner of the alias.
|
||||||
</p>
|
</p>
|
||||||
|
|
|
@ -1,12 +1,12 @@
|
||||||
|
from uuid import uuid4
|
||||||
|
|
||||||
from flask import render_template, redirect, url_for, flash, request
|
from flask import render_template, redirect, url_for, flash, request
|
||||||
from flask_login import login_required, current_user
|
from flask_login import login_required, current_user
|
||||||
from itsdangerous import Signer
|
|
||||||
|
|
||||||
from app.config import ALIAS_TRANSFER_SECRET
|
|
||||||
from app.config import URL
|
from app.config import URL
|
||||||
from app.dashboard.base import dashboard_bp
|
from app.dashboard.base import dashboard_bp
|
||||||
from app.email_utils import send_email, render
|
from app.email_utils import send_email, render
|
||||||
from app.extensions import db
|
from app.extensions import db, limiter
|
||||||
from app.log import LOG
|
from app.log import LOG
|
||||||
from app.models import (
|
from app.models import (
|
||||||
Alias,
|
Alias,
|
||||||
|
@ -89,12 +89,30 @@ def alias_transfer_send_route(alias_id):
|
||||||
)
|
)
|
||||||
return redirect(url_for("dashboard.index"))
|
return redirect(url_for("dashboard.index"))
|
||||||
|
|
||||||
s = Signer(ALIAS_TRANSFER_SECRET)
|
if alias.transfer_token:
|
||||||
alias_id_signed = s.sign(str(alias.id)).decode()
|
|
||||||
|
|
||||||
alias_transfer_url = (
|
alias_transfer_url = (
|
||||||
URL + "/dashboard/alias_transfer/receive" + f"?alias_id={alias_id_signed}"
|
URL + "/dashboard/alias_transfer/receive" + f"?token={alias.transfer_token}"
|
||||||
)
|
)
|
||||||
|
else:
|
||||||
|
alias_transfer_url = None
|
||||||
|
|
||||||
|
# generate a new transfer_token
|
||||||
|
if request.method == "POST":
|
||||||
|
if request.form.get("form-name") == "create":
|
||||||
|
alias.transfer_token = str(uuid4())
|
||||||
|
db.session.commit()
|
||||||
|
alias_transfer_url = (
|
||||||
|
URL + "/dashboard/alias_transfer/receive" + f"?token={alias.transfer_token}"
|
||||||
|
)
|
||||||
|
flash("Share URL created", "success")
|
||||||
|
return redirect(request.url)
|
||||||
|
# request.form.get("form-name") == "remove"
|
||||||
|
else:
|
||||||
|
alias.transfer_token = None
|
||||||
|
db.session.commit()
|
||||||
|
alias_transfer_url = None
|
||||||
|
flash("Share URL deleted", "success")
|
||||||
|
return redirect(request.url)
|
||||||
|
|
||||||
return render_template(
|
return render_template(
|
||||||
"dashboard/alias_transfer_send.html",
|
"dashboard/alias_transfer_send.html",
|
||||||
|
@ -104,21 +122,18 @@ def alias_transfer_send_route(alias_id):
|
||||||
|
|
||||||
|
|
||||||
@dashboard_bp.route("/alias_transfer/receive", methods=["GET", "POST"])
|
@dashboard_bp.route("/alias_transfer/receive", methods=["GET", "POST"])
|
||||||
|
@limiter.limit("5/minute")
|
||||||
@login_required
|
@login_required
|
||||||
def alias_transfer_receive_route():
|
def alias_transfer_receive_route():
|
||||||
"""
|
"""
|
||||||
URL has ?alias_id=signed_alias_id
|
URL has ?alias_id=signed_alias_id
|
||||||
"""
|
"""
|
||||||
s = Signer(ALIAS_TRANSFER_SECRET)
|
token = request.args.get("token")
|
||||||
signed_alias_id = request.args.get("alias_id")
|
alias = Alias.get_by(transfer_token=token)
|
||||||
|
|
||||||
try:
|
if not alias:
|
||||||
alias_id = int(s.unsign(signed_alias_id))
|
|
||||||
except Exception:
|
|
||||||
flash("Invalid link", "error")
|
flash("Invalid link", "error")
|
||||||
return redirect(url_for("dashboard.index"))
|
return redirect(url_for("dashboard.index"))
|
||||||
else:
|
|
||||||
alias = Alias.get(alias_id)
|
|
||||||
|
|
||||||
# alias already belongs to this user
|
# alias already belongs to this user
|
||||||
if alias.user_id == current_user.id:
|
if alias.user_id == current_user.id:
|
||||||
|
|
Loading…
Reference in New Issue