From 516ae5fb3bac4579e205a64f2f5a0254ef016285 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Adri=C3=A0=20Casaj=C3=BAs?= <adria.casajus@proton.ch>
Date: Mon, 22 Sep 2025 16:56:20 +0200
Subject: [PATCH] FIX: Do not allow to create a contact with reply email as
 contact email

---
 app/contact_utils.py        | 12 ++++++++++--
 tests/test_contact_utils.py | 14 ++++++++++++--
 2 files changed, 22 insertions(+), 4 deletions(-)

diff --git a/app/contact_utils.py b/app/contact_utils.py
index b22c81a7..9d452e41 100644
--- a/app/contact_utils.py
+++ b/app/contact_utils.py
@@ -1,13 +1,13 @@
 from dataclasses import dataclass
 from enum import Enum
-from typing import Optional
-
 from sqlalchemy.exc import IntegrityError
+from typing import Optional
 
 from app.alias_audit_log_utils import emit_alias_audit_log, AliasAuditLogAction
 from app.db import Session
 from app.email_utils import generate_reply_email, parse_full_address
 from app.email_validation import is_valid_email
+from app.errors import CannotCreateContactForReverseAlias
 from app.log import LOG
 from app.models import Contact, Alias
 from app.utils import sanitize_email
@@ -49,6 +49,9 @@ def create_contact(
     automatic_created: bool = False,
     from_partner: bool = False,
 ) -> ContactCreateResult:
+    LOG.i(
+        f"User {alias.user} is trying to create a new contact for alias {alias} with email {email}"
+    )
     # If user cannot create contacts, they still need to be created when receiving an email for an alias
     if not automatic_created and not alias.user.can_create_contacts():
         return ContactCreateResult(
@@ -119,6 +122,11 @@ def create_contact(
             f"Created contact {contact} for alias {alias} with email {email} invalid_email={is_invalid_email}"
         )
         return ContactCreateResult(contact, created=True, error=None)
+    except CannotCreateContactForReverseAlias as e:
+        LOG.i(f"Cannot create contact {email} for alias {alias}: {e}")
+        return ContactCreateResult(
+            None, created=False, error=ContactCreateError.InvalidEmail
+        )
     except IntegrityError:
         Session.rollback()
         LOG.info(
diff --git a/tests/test_contact_utils.py b/tests/test_contact_utils.py
index 2ca5b3ea..3426bbc4 100644
--- a/tests/test_contact_utils.py
+++ b/tests/test_contact_utils.py
@@ -1,6 +1,5 @@
-from typing import Optional
-
 import pytest
+from typing import Optional
 
 from app import config
 from app.alias_audit_log_utils import AliasAuditLogAction
@@ -233,3 +232,14 @@ def test_toggle_contact_block():
     assert audit_log.action == AliasAuditLogAction.UpdateContact.value
     assert audit_log.id > last_log_id
     assert not contact.block_forward
+
+
+def test_create_contact_with_reply_email():
+    user = create_new_user()
+    alias = Alias.create_new_random(user)
+    email = random_email()
+    contact1 = create_contact(email, alias).contact
+    out = create_contact(contact1.reply_email, alias)
+    assert out.contact is None
+    assert out.created is False
+    assert out.error == ContactCreateError.InvalidEmail