add limiter for random alias creation

2021-03-24 17:30:05 +01:00 · 2021-03-24 17:30:05 +01:00 · 92acf352b6
parent a570a426d4
commit 92acf352b6
3 changed files with 48 additions and 4 deletions
--- a/app/dashboard/views/custom_alias.py
+++ b/app/dashboard/views/custom_alias.py
@ -23,7 +23,7 @@ from app.models import (
    AliasMailbox,
    DomainDeletedAlias,
 )
-from app.utils import convert_to_id, random_word, word_exist
+from app.utils import random_word, word_exist

 signer = TimestampSigner(CUSTOM_ALIAS_SECRET)

--- a/app/dashboard/views/index.py
+++ b/app/dashboard/views/index.py
@ -6,9 +6,9 @@ from sqlalchemy.orm import joinedload

 from app import alias_utils
 from app.api.serializer import get_alias_infos_with_pagination_v3
-from app.config import PAGE_LIMIT
+from app.config import PAGE_LIMIT, ALIAS_LIMIT
 from app.dashboard.base import dashboard_bp
-from app.extensions import db
+from app.extensions import db, limiter
 from app.log import LOG
 from app.models import (
    Alias,
@ -51,6 +51,11 @@ def get_stats(user: User) -> Stats:


@dashboard_bp.route("/", methods=["GET", "POST"])
+@limiter.limit(
+    ALIAS_LIMIT,
+    methods=["POST"],
+    exempt_when=lambda: request.form.get("form-name") != "create-random-email",
+)
@login_required
 def index():
    query = request.args.get("query") or ""
@ -91,7 +96,7 @@ def index():

                db.session.commit()

-                LOG.d("generate new email %s for user %s", alias, current_user)
+                LOG.d("create new random alias %s for user %s", alias, current_user)
                flash(f"Alias {alias.email} has been created", "success")

                return redirect(
--- a/tests/dashboard/test_index.py
+++ b/tests/dashboard/test_index.py
@ -0,0 +1,39 @@
+from flask import url_for, g
+
+from app.models import (
+    Alias,
+)
+from tests.utils import login
+
+
+def test_create_random_alias_success(flask_client):
+    login(flask_client)
+    assert Alias.query.count() == 1
+
+    r = flask_client.post(
+        url_for("dashboard.index"),
+        data={"form-name": "create-random-email"},
+        follow_redirects=True,
+    )
+    assert r.status_code == 200
+    assert Alias.query.count() == 2
+
+
+def test_too_many_requests(flask_client):
+    login(flask_client)
+
+    # can't create more than 5 aliases in 1 minute
+    for i in range(7):
+        r = flask_client.post(
+            url_for("dashboard.index"),
+            data={"form-name": "create-random-email"},
+            follow_redirects=True,
+        )
+
+        # to make flask-limiter work with unit test
+        # https://github.com/alisaifee/flask-limiter/issues/147#issuecomment-642683820
+        g._rate_limiting_complete = False
+    else:
+        # last request
+        assert r.status_code == 429
+        assert "Whoa, slow down there, pardner!" in str(r.data)