From 643a91fa691f8266047bdb11dd92048c419ad13c Mon Sep 17 00:00:00 2001
From: Anton Sarukhanov <code@ant.sr>
Date: Tue, 1 Nov 2016 23:53:48 -0400
Subject: [PATCH] Ratelimit contact form; accept regular POST instead of JSON;
 remove junk file

---
 api/app.py       | 13 ++++++++++---
 api/contact.py   | 21 ---------------------
 config.py        |  2 +-
 requirements.txt |  1 +
 4 files changed, 12 insertions(+), 25 deletions(-)
 delete mode 100644 api/contact.py

diff --git a/api/app.py b/api/app.py
index a503184..d68758a 100644
--- a/api/app.py
+++ b/api/app.py
@@ -1,5 +1,7 @@
 import json
 from flask import Flask, redirect, render_template, request, url_for
+from flask_limiter import Limiter
+from flask_limiter.util import get_ipaddr
 from stravalib import unithelper
 from api.decorators import admin
 from api.models import db, ContactFormSubmission
@@ -11,6 +13,9 @@ app.config.from_pyfile('config.py')
 
 db.init_app(app)
 
+limiter = Limiter(key_func=get_ipaddr)
+limiter.init_app(app)
+
 @app.route('/')
 def index():
     return render_template('index.html')
@@ -39,10 +44,12 @@ def api_strava():
     return r
 
 @app.route('/api/contact', methods=['POST'])
+@limiter.limit("1/minute")
 def api_contact():
-    json = request.json
-    db.session.add(ContactFormSubmission(email=json['email'],
-        name=json['name'], text=json['text']))
+    db.session.add(ContactFormSubmission(
+        email=request.form['email'],
+        name=request.form['name'],
+        text=request.form['text']))
     db.session.commit()
     return 'ok'
 
diff --git a/api/contact.py b/api/contact.py
deleted file mode 100644
index 2ad0060..0000000
--- a/api/contact.py
+++ /dev/null
@@ -1,21 +0,0 @@
-from flask import request, redirect, current_app
-from stravalib.client import Client
-from requests.exceptions import HTTPError
-from sqlalchemy.orm.exc import NoResultFound
-from api.models import db, StravaApiToken
-
-class Contact():
-    """Website contact form handler"""
-
-    @classmethod
-    def check_auth(cls, token = None):
-        if not token:
-            try:
-                token = db.session.query(StravaApiToken).one().token
-            except NoResultFound:
-                return False
-        strava = Client(token)
-        try:
-            return strava.get_athlete().email
-        except (HTTPError, AttributeError):
-            return False
diff --git a/config.py b/config.py
index ca590d0..d094d92 100644
--- a/config.py
+++ b/config.py
@@ -4,4 +4,4 @@ ADMIN_IP = '127.0.0.1'
 ADMIN_EMAIL = 'mail@ant.sr'
 SQLALCHEMY_DATABASE_URI = 'sqlite:///api.db'
 SQLALCHEMY_TRACK_MODIFICATIONS = True
-
+RATELIMIT_HEADERS_ENABLED = True
diff --git a/requirements.txt b/requirements.txt
index 3af8b96..486e853 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -1,4 +1,5 @@
 Flask==0.11.1
+Flask-Limiter==0.9.3
 Flask-Migrate==1.8.1
 Flask-SQLAlchemy==2.1
 psycopg2==2.6.2
-- 
GitLab