From 325aa5452bb9c03246d8e1d03eae2a664b1935ce Mon Sep 17 00:00:00 2001
From: Florent Daigniere <nextgens@freenetproject.org>
Date: Thu, 21 Dec 2023 12:37:08 +0100
Subject: [PATCH] Do not block webmail when we have a valid SSO sess

---
 core/admin/mailu/internal/views/auth.py | 2 +-
 towncrier/newsfragments/3094.bugfix     | 1 +
 2 files changed, 2 insertions(+), 1 deletion(-)
 create mode 100644 towncrier/newsfragments/3094.bugfix

diff --git a/core/admin/mailu/internal/views/auth.py b/core/admin/mailu/internal/views/auth.py
index 7de885b8..4aa31407 100644
--- a/core/admin/mailu/internal/views/auth.py
+++ b/core/admin/mailu/internal/views/auth.py
@@ -37,7 +37,7 @@ def nginx_authentication():
     is_valid_user = False
     username = response.headers.get('Auth-User', None)
     if response.headers.get("Auth-User-Exists") == "True":
-        if not is_app_token and utils.limiter.should_rate_limit_user(username, client_ip):
+        if not is_from_webmail and not is_app_token and utils.limiter.should_rate_limit_user(username, client_ip):
             # FIXME could be done before handle_authentication()
             status, code = nginx.get_status(flask.request.headers['Auth-Protocol'], 'ratelimit')
             response = flask.Response()
diff --git a/towncrier/newsfragments/3094.bugfix b/towncrier/newsfragments/3094.bugfix
new file mode 100644
index 00000000..e6706714
--- /dev/null
+++ b/towncrier/newsfragments/3094.bugfix
@@ -0,0 +1 @@
+Ensure we do not block logins from webmails when there is a valid SSO session