From 6d736aa9159d3e6b0bc99c551dc3be5c9df33b01 Mon Sep 17 00:00:00 2001
From: george <george@fozzie.dev>
Date: Thu, 20 Jan 2022 15:05:18 +0000
Subject: [PATCH] Implement rate limiting with send_email_with_rate_control.

---
 app/auth/views/mfa.py | 9 ++++++---
 app/config.py         | 2 ++
 2 files changed, 8 insertions(+), 3 deletions(-)

diff --git a/app/auth/views/mfa.py b/app/auth/views/mfa.py
index f04f8bde..949a2831 100644
--- a/app/auth/views/mfa.py
+++ b/app/auth/views/mfa.py
@@ -14,9 +14,9 @@ from flask_wtf import FlaskForm
 from wtforms import BooleanField, StringField, validators
 
 from app.auth.base import auth_bp
-from app.config import MFA_USER_ID, URL
+from app.config import MFA_USER_ID, URL, ALERT_INVALID_TOTP_LOGIN
 from app.db import Session
-from app.email_utils import send_email, render
+from app.email_utils import send_email_with_rate_control, render
 from app.extensions import limiter
 from app.models import User, MfaBrowser
 
@@ -92,11 +92,14 @@ def mfa():
             return response
 
         else:
-            send_email(
+            send_email_with_rate_control(
+                user,
+                ALERT_INVALID_TOTP_LOGIN,
                 user.email,
                 "There was an unsuccessful login on your SimpleLogin account",
                 render("transactional/invalid-totp-login.txt"),
                 render("transactional/invalid-totp-login.html"),
+                1,
             )
             flash("Incorrect token", "warning")
             # Trigger rate limiter
diff --git a/app/config.py b/app/config.py
index d25f383e..3c67e659 100644
--- a/app/config.py
+++ b/app/config.py
@@ -321,6 +321,8 @@ ALERT_FROM_ADDRESS_IS_REVERSE_ALIAS = "from_address_is_reverse_alias"
 
 ALERT_SPF = "spf"
 
+ALERT_INVALID_TOTP_LOGIN = "invalid_totp_login"
+
 # when a mailbox is also an alias
 # happens when user adds a mailbox with their domain
 # then later adds this domain into SimpleLogin