fix(dictproxy): check that user exists and create it in a transaction

Otherwise user may be already created by another connection as checking if the user exists happens in a different read-only transaction. This happens when Delta Chat connects IMAP and SMTP at the same time. Also update last_login time on login.
Remove authentication logs from dictproxy
2026-05-12 09:04:36 +00:00 · 2023-11-07 21:15:30 +00:00 · 2023-11-07 21:04:33 +01:00
2 changed files with 22 additions and 26 deletions
--- a/chatmaild/src/chatmaild/database.py
+++ b/chatmaild/src/chatmaild/database.py
@@ -33,13 +33,6 @@ class Connection:
    def cursor(self):
        return self._sqlconn.cursor()
    def create_user(self, addr: str, password: str):
        """Create a row in the users table."""
        self.execute("PRAGMA foreign_keys=on")
        q = """INSERT INTO users (addr, password, last_login)
               VALUES (?, ?, ?)"""
        self.execute(q, (addr, password, int(time.time())))
    def get_user(self, addr: str) -> {}:
        """Get a row from the users table."""
        q = "SELECT addr, password, last_login from users WHERE addr = ?"
--- a/chatmaild/src/chatmaild/dictproxy.py
+++ b/chatmaild/src/chatmaild/dictproxy.py
@@ -1,5 +1,6 @@
 import logging
 import os
 import time
 import sys
 import json
 import crypt
@@ -46,17 +47,6 @@ def is_allowed_to_create(user, cleartext_password) -> bool:
    return True
 def create_user(db, user, encrypted_password):
    with db.write_transaction() as conn:
        conn.create_user(user, encrypted_password)
    return dict(
        home=f"/home/vmail/{user}",
        uid="vmail",
        gid="vmail",
        password=encrypted_password,
    )
 def get_user_data(db, user):
    with db.read_connection() as conn:
        result = conn.get_user(user)
@@ -71,18 +61,33 @@ def lookup_userdb(db, user):
 def lookup_passdb(db, user, cleartext_password):
-    userdata = get_user_data(db, user)
+    with db.write_transaction() as conn:
-    if not userdata:
+        userdata = conn.get_user(user)
        if userdata:
            # Update last login time.
            conn.execute(
                "UPDATE users SET last_login=? WHERE addr=?", (int(time.time()), user)
            )
            userdata["uid"] = "vmail"
            userdata["gid"] = "vmail"
            return userdata
        if not is_allowed_to_create(user, cleartext_password):
            return
        encrypted_password = encrypt_password(cleartext_password)
-        userdata = create_user(db=db, user=user, encrypted_password=encrypted_password)
+        q = """INSERT INTO users (addr, password, last_login)
-    userdata["password"] = userdata["password"].strip()
+               VALUES (?, ?, ?)"""
-    return userdata
+        conn.execute(q, (user, encrypted_password, int(time.time())))
        return dict(
            home=f"/home/vmail/{user}",
            uid="vmail",
            gid="vmail",
            password=encrypted_password,
        )
 def handle_dovecot_request(msg, db, mail_domain):
    print(f"received msg: {msg!r}", file=sys.stderr)
    short_command = msg[0]
    if short_command == "L":  # LOOKUP
        parts = msg[1:].split("\t")
@@ -105,7 +110,6 @@ def handle_dovecot_request(msg, db, mail_domain):
                    reply_command = "O"
                else:
                    reply_command = "N"
        print(f"res: {res!r}", file=sys.stderr)
        json_res = json.dumps(res) if res else ""
        return f"{reply_command}{json_res}\n"
    return None
@@ -130,7 +134,6 @@ def main():
                    break
                res = handle_dovecot_request(msg, db, mail_domain)
                if res:
                    print(f"sending result: {res!r}", file=sys.stderr)
                    self.wfile.write(res.encode("ascii"))
                    self.wfile.flush()