Implement rate limiting with send_email_with_rate_control.

2022-01-20 15:05:18 +00:00 · 2022-01-20 15:05:18 +00:00 · 6d736aa915
parent 122a402c22
commit 6d736aa915
2 changed files with 8 additions and 3 deletions
--- a/app/auth/views/mfa.py
+++ b/app/auth/views/mfa.py
@ -14,9 +14,9 @@ from flask_wtf import FlaskForm
 from wtforms import BooleanField, StringField, validators

 from app.auth.base import auth_bp
-from app.config import MFA_USER_ID, URL
+from app.config import MFA_USER_ID, URL, ALERT_INVALID_TOTP_LOGIN
 from app.db import Session
-from app.email_utils import send_email, render
+from app.email_utils import send_email_with_rate_control, render
 from app.extensions import limiter
 from app.models import User, MfaBrowser

@ -92,11 +92,14 @@ def mfa():
            return response

        else:
-            send_email(
+            send_email_with_rate_control(
+                user,
+                ALERT_INVALID_TOTP_LOGIN,
                user.email,
                "There was an unsuccessful login on your SimpleLogin account",
                render("transactional/invalid-totp-login.txt"),
                render("transactional/invalid-totp-login.html"),
+                1,
            )
            flash("Incorrect token", "warning")
            # Trigger rate limiter
--- a/app/config.py
+++ b/app/config.py
@ -321,6 +321,8 @@ ALERT_FROM_ADDRESS_IS_REVERSE_ALIAS = "from_address_is_reverse_alias"

 ALERT_SPF = "spf"

+ALERT_INVALID_TOTP_LOGIN = "invalid_totp_login"
+
 # when a mailbox is also an alias
 # happens when user adds a mailbox with their domain
 # then later adds this domain into SimpleLogin