Add POST /api/contacts/:contact_id/toggle

app/api/views/alias.py

@@ -447,3 +447,25 @@ def delete_contact(contact_id):
     Session.commit()
 
     return jsonify(deleted=True), 200
+
+
+@api_bp.route("/contacts/<int:contact_id>/toggle", methods=["POST"])
+@require_api_auth
+def toggle_contact(contact_id):
+    """
+    Block/Unblock contact
+    Input:
+        contact_id: in url
+    Output:
+        200
+    """
+    user = g.user
+    contact = Contact.get(contact_id)
+
+    if not contact or contact.alias.user_id != user.id:
+        return jsonify(error="Forbidden"), 403
+
+    contact.block_forward = not contact.block_forward
+    Session.commit()
+
+    return jsonify(block_forward=contact.block_forward), 200

docs/api.md

@@ -728,6 +728,23 @@ If success, 200.
 }
 ```
 
+#### POST /api/contacts/:contact_id/toggle
+
+Block/unblock contact
+
+Input:
+- `Authentication` header that contains the api key
+- `contact_id` in url.
+
+Output:
+If success, 200 along with the new alias status:
+
+```json
+{
+    "block_forward": false
+}
+```
+
 ### Notification endpoints
 #### GET /api/notifications
 

tests/api/test_alias.py

@@ -656,3 +656,23 @@ def test_is_reverse_alias(flask_client):
     assert not is_reverse_alias("ra+abcd@test.org")
     assert not is_reverse_alias("reply+abcd@test.org")
     assert not is_reverse_alias("abcd@test.org")
+
+
+def test_toggle_contact(flask_client):
+    user = login(flask_client)
+
+    alias = Alias.create_new_random(user)
+    Session.commit()
+
+    contact = Contact.create(
+        alias_id=alias.id,
+        website_email="contact@example.com",
+        reply_email="reply+random@sl.io",
+        user_id=alias.user_id,
+    )
+    Session.commit()
+
+    r = flask_client.post(f"/api/contacts/{contact.id}/toggle")
+
+    assert r.status_code == 200
+    assert r.json == {"block_forward": True}