decred · lukebp · Jul 21, 2021 · Jul 2, 2021 · Jul 5, 2021 · Jul 5, 2021
diff --git a/go.mod b/go.mod
@@ -28,6 +28,7 @@ require (
 	github.com/go-sql-driver/mysql v1.5.0
 	github.com/go-test/deep v1.0.1
 	github.com/golang/protobuf v1.4.3
+	github.com/google/go-cmp v0.5.4
 	github.com/google/trillian v1.3.13
 	github.com/google/uuid v1.1.1
 	github.com/gorilla/csrf v1.6.2

diff --git a/go.sum b/go.sum
@@ -415,6 +415,8 @@ github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/
 github.com/google/go-cmp v0.5.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.4 h1:L8R9j+yAqZuZjsqh/z+F1NCffTKKLShY6zXTItVIZ8M=
 github.com/google/go-cmp v0.5.4/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
+github.com/google/go-cmp v0.5.6 h1:BKbKCqvP6I+rmFHt06ZmyQtvB8xAkWdhFyr0ZUNZcxQ=
+github.com/google/go-cmp v0.5.6/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
 github.com/google/martian v2.1.0+incompatible/go.mod h1:9I4somxYTbIHy5NJKHRl3wXiIaQGbYVAs8BPL6v8lEs=
 github.com/google/pprof v0.0.0-20181206194817-3ea8567a2e57/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc=

diff --git a/politeiawww/cmd/politeiawww_dbutil/politeiawww_dbutil.go b/politeiawww/cmd/politeiawww_dbutil/politeiawww_dbutil.go
@@ -463,6 +463,7 @@ func connectMySQL() (user.Database, error) {
 	}
 
 	fmt.Printf("MySQL : %v %v\n", *mysqlhost, network)
+
 	return mysqldb.New(*mysqlhost, *password, network, *encryptionKey)
 }
 

diff --git a/politeiawww/config.go b/politeiawww/config.go
@@ -76,6 +76,8 @@ const (
 	defaultMySQLDBHost     = "localhost:3306"  // MySQL default host
 	defaultCockroachDBHost = "localhost:26257" // CockroachDB default host
 
+	defaultMailRateLimit = 100 // Email limit per user
+
 	// Environment variables.
 	envDBPass = "DBPASS"
 )
@@ -337,6 +339,7 @@ func loadConfig() (*config.Config, []string, error) {
 		MinConfirmationsRequired: defaultPaywallMinConfirmations,
 		VoteDurationMin:          defaultVoteDurationMin,
 		VoteDurationMax:          defaultVoteDurationMax,
+		MailRateLimit:            defaultMailRateLimit,
 	}
 
 	// Service options which are only added on Windows.

diff --git a/politeiawww/config/config.go b/politeiawww/config/config.go
@@ -86,6 +86,7 @@ type Config struct {
 	MailAddress      string `long:"mailaddress" description:"Email address for outgoing email in the format: name <address>"`
 	MailCert         string `long:"mailcert" description:"Email server certificate file"`
 	MailSkipVerify   bool   `long:"mailskipverify" description:"Skip TLS verification when connecting to the mail server"`
+	MailRateLimit    int    `long:"mailratelimit" description:"Limits the amount of emails a user can receive in 24h"`
 	WebServerAddress string `long:"webserveraddress" description:"Web server address used to create email links (format: <scheme>://<host>[:<port>])"`
 
 	// XXX These should all be plugin settings

diff --git a/politeiawww/email.go b/politeiawww/email.go
@@ -12,6 +12,7 @@ import (
 	"time"
 
 	www "github.com/decred/politeia/politeiawww/api/www/v1"
+	"github.com/google/uuid"
 )
 
 const (
@@ -52,8 +53,11 @@ func (p *politeiawww) createEmailLink(path, email, token, username string) (stri
 	return l.String(), nil
 }
 
-// emailUserEmailVerify sends a new user verification email to the
-// provided email address.
+// emailUserEmailVerify sends a new user verification email to the provided
+// email address. This function is not rate limited by the smtp client because
+// the user is only created/updated when this function is successfully executed
+// and an email with the verification token is sent to the user. This email is
+// also already limited by the verification token expiry hours policy.
 func (p *politeiawww) emailUserEmailVerify(email, token, username string) error {
 	link, err := p.createEmailLink(www.RouteVerifyNewUser, email,
 		token, username)
@@ -71,14 +75,13 @@ func (p *politeiawww) emailUserEmailVerify(email, token, username string) error
 	if err != nil {
 		return err
 	}
-	recipients := []string{email}
 
-	return p.mail.SendTo(subject, body, recipients)
+	return p.mail.SendTo(subject, body, []string{email})
 }
 
 // emailUserKeyUpdate emails the link with the verification token used for
 // setting a new key pair if the email server is set up.
-func (p *politeiawww) emailUserKeyUpdate(username, email, publicKey, token string) error {
+func (p *politeiawww) emailUserKeyUpdate(username, publicKey, token string, recipient map[uuid.UUID]string) error {
 	link, err := p.createEmailLink(www.RouteVerifyUpdateUserKey, "", token, "")
 	if err != nil {
 		return err
@@ -95,14 +98,13 @@ func (p *politeiawww) emailUserKeyUpdate(username, email, publicKey, token strin
 	if err != nil {
 		return err
 	}
-	recipients := []string{email}
 
-	return p.mail.SendTo(subject, body, recipients)
+	return p.mail.SendToUsers(subject, body, recipient)
 }
 
 // emailUserPasswordReset emails the link with the reset password verification
 // token to the provided email address.
-func (p *politeiawww) emailUserPasswordReset(email, username, token string) error {
+func (p *politeiawww) emailUserPasswordReset(username, token string, recipient map[uuid.UUID]string) error {
 	// Setup URL
 	u, err := url.Parse(p.cfg.WebServerAddress + www.RouteResetPassword)
 	if err != nil {
@@ -124,13 +126,17 @@ func (p *politeiawww) emailUserPasswordReset(email, username, token string) erro
 	}
 
 	// Send email
-	return p.mail.SendTo(subject, body, []string{email})
+	return p.mail.SendToUsers(subject, body, recipient)
 }
 
 // emailUserAccountLocked notifies the user its account has been locked and
 // emails the link with the reset password verification token if the email
 // server is set up.
-func (p *politeiawww) emailUserAccountLocked(username, email string) error {
+func (p *politeiawww) emailUserAccountLocked(username string, recipient map[uuid.UUID]string) error {
+	var email string
+	for _, e := range recipient {
+		email = e
+	}
 	link, err := p.createEmailLink(ResetPasswordGuiRoute,
 		email, "", "")
 	if err != nil {
@@ -147,14 +153,13 @@ func (p *politeiawww) emailUserAccountLocked(username, email string) error {
 	if err != nil {
 		return err
 	}
-	recipients := []string{email}
 
-	return p.mail.SendTo(subject, body, recipients)
+	return p.mail.SendToUsers(subject, body, recipient)
 }
 
 // emailUserPasswordChanged notifies the user that his password was changed,
 // and verifies if he was the author of this action, for security purposes.
-func (p *politeiawww) emailUserPasswordChanged(username, email string) error {
+func (p *politeiawww) emailUserPasswordChanged(username string, recipient map[uuid.UUID]string) error {
 	tplData := userPasswordChanged{
 		Username: username,
 	}
@@ -164,9 +169,8 @@ func (p *politeiawww) emailUserPasswordChanged(username, email string) error {
 	if err != nil {
 		return err
 	}
-	recipients := []string{email}
 
-	return p.mail.SendTo(subject, body, recipients)
+	return p.mail.SendToUsers(subject, body, recipient)
 }
 
 // emailUserCMSInvite emails the invitation link for the Contractor Management