From c1cd1298e8e66077ec3e1c065f53b23877f18e5f Mon Sep 17 00:00:00 2001
From: Carlos Quintana <carlos.quintana@proton.ch>
Date: Thu, 24 Oct 2024 08:27:54 +0200
Subject: [PATCH] fix: missing None check on alias contacts api

---
 app/api/views/alias.py  |  5 ++---
 tests/api/test_alias.py | 13 +++++++++++++
 2 files changed, 15 insertions(+), 3 deletions(-)

diff --git a/app/api/views/alias.py b/app/api/views/alias.py
index 45297e63c..7630b4b49 100644
--- a/app/api/views/alias.py
+++ b/app/api/views/alias.py
@@ -419,9 +419,8 @@ def create_contact_route(alias_id):
     if not data:
         return jsonify(error="request body cannot be empty"), 400
 
-    alias: Alias = Alias.get(alias_id)
-
-    if alias.user_id != g.user.id:
+    alias: Optional[Alias] = Alias.get_by(id=alias_id, user_id=g.user.id)
+    if not alias:
         return jsonify(error="Forbidden"), 403
 
     contact_address = data.get("contact")
diff --git a/tests/api/test_alias.py b/tests/api/test_alias.py
index 1661b50ef..dd39e1320 100644
--- a/tests/api/test_alias.py
+++ b/tests/api/test_alias.py
@@ -511,6 +511,19 @@ def test_create_contact_route_invalid_alias(flask_client):
     assert r.status_code == 403
 
 
+def test_create_contact_route_non_existing_alias(flask_client):
+    user, api_key = get_new_user_and_api_key()
+    Session.commit()
+
+    r = flask_client.post(
+        url_for("api.create_contact_route", alias_id=99999999),
+        headers={"Authentication": api_key.code},
+        json={"contact": "First Last <first@example.com>"},
+    )
+
+    assert r.status_code == 403
+
+
 def test_create_contact_route_free_users(flask_client):
     user, api_key = get_new_user_and_api_key()