Ratelimit contact form; accept regular POST instead of JSON; remove junk file

643a91fa · Anton Sarukhanov · 9799707f · 643a91fa · 9799707f · 643a91fa
Commit 643a91fa authored 8 years ago by Anton Sarukhanov
--- a/api/app.py
+++ b/api/app.py
 import json
 from flask import Flask, redirect, render_template, request, url_for
+from flask_limiter import Limiter
+from flask_limiter.util import get_ipaddr
 from stravalib import unithelper
 from api.decorators import admin
 from api.models import db, ContactFormSubmission
@@ -11,6 +13,9 @@ app.config.from_pyfile('config.py')

 db.init_app(app)

+limiter = Limiter(key_func=get_ipaddr)
+limiter.init_app(app)
+
 @app.route('/')
 def index():
    return render_template('index.html')
@@ -39,10 +44,12 @@ def api_strava():
    return r

 @app.route('/api/contact', methods=['POST'])
+@limiter.limit("1/minute")
 def api_contact():
-    json = request.json
-    db.session.add(ContactFormSubmission(email=json['email'],
-        name=json['name'], text=json['text']))
+    db.session.add(ContactFormSubmission(
+        email=request.form['email'],
+        name=request.form['name'],
+        text=request.form['text']))
    db.session.commit()
    return 'ok'


--- a/api/contact.py
+++ b/api/contact.py
-from flask import request, redirect, current_app
-from stravalib.client import Client
-from requests.exceptions import HTTPError
-from sqlalchemy.orm.exc import NoResultFound
-from api.models import db, StravaApiToken
-
-class Contact():
-    """Website contact form handler"""
-
-    @classmethod
-    def check_auth(cls, token = None):
-        if not token:
-            try:
-                token = db.session.query(StravaApiToken).one().token
-            except NoResultFound:
-                return False
-        strava = Client(token)
-        try:
-            return strava.get_athlete().email
-        except (HTTPError, AttributeError):
-            return False
--- a/config.py
+++ b/config.py
@@ -4,4 +4,4 @@ ADMIN_IP = '127.0.0.1'
 ADMIN_EMAIL = 'mail@ant.sr'
 SQLALCHEMY_DATABASE_URI = 'sqlite:///api.db'
 SQLALCHEMY_TRACK_MODIFICATIONS = True
-
+RATELIMIT_HEADERS_ENABLED = True
--- a/requirements.txt
+++ b/requirements.txt
 Flask==0.11.1
+Flask-Limiter==0.9.3
 Flask-Migrate==1.8.1
 Flask-SQLAlchemy==2.1
 psycopg2==2.6.2