Fix: Use timed signers to avoid leaving permanent links (#1524)

Co-authored-by: Adrià Casajús <adria.casajus@proton.ch>

app/dashboard/views/mailbox.py

@@ -2,7 +2,7 @@ import arrow
 from flask import render_template, request, redirect, url_for, flash
 from flask_login import login_required, current_user
 from flask_wtf import FlaskForm
-from itsdangerous import Signer
+from itsdangerous import TimestampSigner
 from wtforms import validators
 from wtforms.fields.html5 import EmailField
 
@@ -165,7 +165,7 @@ SimpleLogin team.
 
 
 def send_verification_email(user, mailbox):
-    s = Signer(MAILBOX_SECRET)
+    s = TimestampSigner(MAILBOX_SECRET)
     mailbox_id_signed = s.sign(str(mailbox.id)).decode()
     verification_url = (
         URL + "/dashboard/mailbox_verify" + f"?mailbox_id={mailbox_id_signed}"
@@ -190,11 +190,11 @@ def send_verification_email(user, mailbox):
 
 @dashboard_bp.route("/mailbox_verify")
 def mailbox_verify():
-    s = Signer(MAILBOX_SECRET)
+    s = TimestampSigner(MAILBOX_SECRET)
     mailbox_id = request.args.get("mailbox_id")
 
     try:
-        r_id = int(s.unsign(mailbox_id))
+        r_id = int(s.unsign(mailbox_id, max_age=900))
     except Exception:
         flash("Invalid link. Please delete and re-add your mailbox", "error")
         return redirect(url_for("dashboard.mailbox_route"))

app/dashboard/views/mailbox_detail.py

@@ -4,7 +4,7 @@ from email_validator import validate_email, EmailNotValidError
 from flask import render_template, request, redirect, url_for, flash
 from flask_login import login_required, current_user
 from flask_wtf import FlaskForm
-from itsdangerous import Signer
+from itsdangerous import TimestampSigner
 from wtforms import validators
 from wtforms.fields.html5 import EmailField
 
@@ -210,7 +210,7 @@ def mailbox_detail_route(mailbox_id):
 
 
 def verify_mailbox_change(user, mailbox, new_email):
-    s = Signer(MAILBOX_SECRET)
+    s = TimestampSigner(MAILBOX_SECRET)
     mailbox_id_signed = s.sign(str(mailbox.id)).decode()
     verification_url = (
         f"{URL}/dashboard/mailbox/confirm_change?mailbox_id={mailbox_id_signed}"
@@ -262,11 +262,11 @@ def cancel_mailbox_change_route(mailbox_id):
 
 @dashboard_bp.route("/mailbox/confirm_change")
 def mailbox_confirm_change_route():
-    s = Signer(MAILBOX_SECRET)
+    s = TimestampSigner(MAILBOX_SECRET)
     signed_mailbox_id = request.args.get("mailbox_id")
 
     try:
-        mailbox_id = int(s.unsign(signed_mailbox_id))
+        mailbox_id = int(s.unsign(signed_mailbox_id, max_age=900))
     except Exception:
         flash("Invalid link", "error")
         return redirect(url_for("dashboard.index"))

templates/emails/transactional/verify-mailbox-change.html

@@ -6,6 +6,7 @@
   {{ render_text("You recently requested to change mailbox <b>"+ mailbox_email +"</b> to <b>" + mailbox_new_email + "</b>.") }}
   {{ render_text("To confirm, please click on the button below.") }}
   {{ render_button("Confirm mailbox change", link) }}
+  {{ render_text("This email will only be valid for the next 15 minutes.") }}
   {{ render_text('Thanks,
   <br />
   SimpleLogin Team.') }}

templates/emails/transactional/verify-mailbox-change.txt.jinja2

@@ -8,4 +8,6 @@ You recently requested to change mailbox {{mailbox_email}} to {{mailbox_new_emai
 To confirm, please click on this link:
 
 {{link}}
+
+This link will only be valid during the next 15 minutes.
 {% endblock %}

templates/emails/transactional/verify-mailbox.html

@@ -6,6 +6,7 @@
   {{ render_text("You have added <b>"+ mailbox_email +"</b> as an additional mailbox.") }}
   {{ render_text("To confirm, please click on the button below.") }}
   {{ render_button("Confirm mailbox", link) }}
+  {{ render_text("This email will only be valid for the next 15 minutes.") }}
   {{ render_text('Thanks,
   <br />
   SimpleLogin Team.') }}

templates/emails/transactional/verify-mailbox.txt.jinja2

@@ -8,4 +8,6 @@ You have added {{mailbox_email}} as an additional mailbox.
 To confirm, please click on this link:
 
 {{link}}
+
+This link will only be valid during the next 15 minutes.
 {% endblock %}