From 45575261dcaaca5fa2c3392fcdb5ff02035f2e50 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Adri=C3=A0=20Casaj=C3=BAs?=
 <acasajus@users.noreply.github.com>
Date: Tue, 21 Nov 2023 14:42:24 +0100
Subject: [PATCH] Rate limit index endpoint (#1948)

---
 app/api/views/alias.py       | 4 ++++
 app/dashboard/views/index.py | 4 ++++
 2 files changed, 8 insertions(+)

diff --git a/app/api/views/alias.py b/app/api/views/alias.py
index eef24ba1..6adc9ad3 100644
--- a/app/api/views/alias.py
+++ b/app/api/views/alias.py
@@ -24,6 +24,7 @@ from app.errors import (
     ErrContactAlreadyExists,
     ErrAddressInvalid,
 )
+from app.extensions import limiter
 from app.models import Alias, Contact, Mailbox, AliasMailbox
 
 
@@ -71,6 +72,9 @@ def get_aliases():
 
 
 @api_bp.route("/v2/aliases", methods=["GET", "POST"])
+@limiter.limit(
+    "15/minute",
+)
 @require_api_auth
 def get_aliases_v2():
     """
diff --git a/app/dashboard/views/index.py b/app/dashboard/views/index.py
index ceeef89e..24286dba 100644
--- a/app/dashboard/views/index.py
+++ b/app/dashboard/views/index.py
@@ -57,6 +57,10 @@ def get_stats(user: User) -> Stats:
     methods=["POST"],
     exempt_when=lambda: request.form.get("form-name") != "create-random-email",
 )
+@limiter.limit(
+    "10/minute",
+    methods=["GET"],
+)
 @login_required
 @parallel_limiter.lock(
     name="alias_creation",