From 62246b5a2c8d35a94ef140b0c0cbf4378b93f396 Mon Sep 17 00:00:00 2001 From: Christy Jacob Date: Mon, 29 Jan 2024 17:24:10 +0000 Subject: [PATCH 01/12] chore: add auth label to phone endpoint --- app/controllers/api/account.php | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/app/controllers/api/account.php b/app/controllers/api/account.php index 99df2f459e..f9ceb11aa3 100644 --- a/app/controllers/api/account.php +++ b/app/controllers/api/account.php @@ -889,7 +889,7 @@ App::delete('/v1/account/identities/:identityId') App::post('/v1/account/sessions/magic-url') ->desc('Create magic URL session') - ->groups(['api', 'account']) + ->groups(['api', 'account', 'auth']) ->label('scope', 'public') ->label('auth.type', 'magic-url') ->label('audits.event', 'session.create') @@ -903,7 +903,7 @@ App::post('/v1/account/sessions/magic-url') ->label('sdk.response.type', Response::CONTENT_TYPE_JSON) ->label('sdk.response.model', Response::MODEL_TOKEN) ->label('abuse-limit', 10) - ->label('abuse-key', 'url:{url},email:{param-email}') + ->label('abuse-key', 'url:{url},ip:{ip}') /** TODO: Add support for arrays */ ->param('userId', '', new CustomId(), 'Unique Id. Choose a custom ID or generate a random ID with `ID.unique()`. Valid chars are a-z, A-Z, 0-9, period, hyphen, and underscore. Can\'t start with a special char. Max length is 36 chars.') ->param('email', '', new Email(), 'User email.') ->param('url', '', fn($clients) => new Host($clients), 'URL to redirect the user back to your app from the magic URL login. Only URLs from hostnames in your project platform list are allowed. This requirement helps to prevent an [open redirect](https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html) attack against your project API.', true, ['clients']) @@ -1223,7 +1223,7 @@ App::put('/v1/account/sessions/magic-url') App::post('/v1/account/sessions/phone') ->desc('Create phone session') - ->groups(['api', 'account']) + ->groups(['api', 'account', 'auth']) ->label('scope', 'public') ->label('auth.type', 'phone') ->label('audits.event', 'session.create') @@ -2864,7 +2864,7 @@ App::put('/v1/account/verification') App::post('/v1/account/verification/phone') ->desc('Create phone verification') - ->groups(['api', 'account']) + ->groups(['api', 'account', 'auth']) ->label('scope', 'account') ->label('event', 'users.[userId].verification.[tokenId].create') ->label('audits.event', 'verification.create') From af21b4412519fa96e4416b9a3df544b3b03537d2 Mon Sep 17 00:00:00 2001 From: Christy Jacob Date: Mon, 29 Jan 2024 17:25:56 +0000 Subject: [PATCH 02/12] chore: revert abuse key --- app/controllers/api/account.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/app/controllers/api/account.php b/app/controllers/api/account.php index f9ceb11aa3..53168f0b9a 100644 --- a/app/controllers/api/account.php +++ b/app/controllers/api/account.php @@ -903,7 +903,7 @@ App::post('/v1/account/sessions/magic-url') ->label('sdk.response.type', Response::CONTENT_TYPE_JSON) ->label('sdk.response.model', Response::MODEL_TOKEN) ->label('abuse-limit', 10) - ->label('abuse-key', 'url:{url},ip:{ip}') /** TODO: Add support for arrays */ + ->label('abuse-key', 'url:{url},email:{param-email}') ->param('userId', '', new CustomId(), 'Unique Id. Choose a custom ID or generate a random ID with `ID.unique()`. Valid chars are a-z, A-Z, 0-9, period, hyphen, and underscore. Can\'t start with a special char. Max length is 36 chars.') ->param('email', '', new Email(), 'User email.') ->param('url', '', fn($clients) => new Host($clients), 'URL to redirect the user back to your app from the magic URL login. Only URLs from hostnames in your project platform list are allowed. This requirement helps to prevent an [open redirect](https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html) attack against your project API.', true, ['clients']) From 0ff6e99354c2c0cf78e34f784271215c81dd009a Mon Sep 17 00:00:00 2001 From: Christy Jacob Date: Mon, 29 Jan 2024 17:42:14 +0000 Subject: [PATCH 03/12] chore: update auth group --- app/controllers/shared/api.php | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/app/controllers/shared/api.php b/app/controllers/shared/api.php index d6b5a2c680..b25ec4425d 100644 --- a/app/controllers/shared/api.php +++ b/app/controllers/shared/api.php @@ -346,6 +346,12 @@ App::init() } break; + case 'phone': + if (($auths['phone'] ?? true) === false) { + throw new Exception(Exception::USER_AUTH_METHOD_UNSUPPORTED, 'Phone authentication is disabled for this project'); + } + break; + case 'invites': if (($auths['invites'] ?? true) === false) { throw new Exception(Exception::USER_AUTH_METHOD_UNSUPPORTED, 'Invites authentication is disabled for this project'); From 47fc6efb0d1271a4919ca07991d2978e7088e40f Mon Sep 17 00:00:00 2001 From: Christy Jacob Date: Mon, 29 Jan 2024 17:48:12 +0000 Subject: [PATCH 04/12] chore: update endpoint --- app/controllers/shared/api.php | 2 +- app/controllers/shared/api/auth.php | 8 +++++++- 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/app/controllers/shared/api.php b/app/controllers/shared/api.php index b25ec4425d..41aa7f607d 100644 --- a/app/controllers/shared/api.php +++ b/app/controllers/shared/api.php @@ -335,7 +335,7 @@ App::init() break; case 'magic-url': - if ($project->getAttribute('usersAuthMagicURL', true) === false) { + if (($auths['usersAuthMagicURL'] ?? true) === false) { throw new Exception(Exception::USER_AUTH_METHOD_UNSUPPORTED, 'Magic URL authentication is disabled for this project'); } break; diff --git a/app/controllers/shared/api/auth.php b/app/controllers/shared/api/auth.php index 5b1af0d36c..c381d9662a 100644 --- a/app/controllers/shared/api/auth.php +++ b/app/controllers/shared/api/auth.php @@ -32,7 +32,7 @@ App::init() break; case 'magic-url': - if ($project->getAttribute('usersAuthMagicURL', true) === false) { + if (($auths['usersAuthMagicURL'] ?? true) === false) { throw new Exception(Exception::USER_AUTH_METHOD_UNSUPPORTED, 'Magic URL authentication is disabled for this project'); } break; @@ -43,6 +43,12 @@ App::init() } break; + case 'phone': + if (($auths['phone'] ?? true) === false) { + throw new Exception(Exception::USER_AUTH_METHOD_UNSUPPORTED, 'Phone authentication is disabled for this project'); + } + break; + case 'invites': if (($auths['invites'] ?? true) === false) { throw new Exception(Exception::USER_AUTH_METHOD_UNSUPPORTED, 'Invites authentication is disabled for this project'); From dc6f9e6d591c9e608155c3d8f3d74994ebc3a7c3 Mon Sep 17 00:00:00 2001 From: Christy Jacob Date: Mon, 29 Jan 2024 20:01:14 +0000 Subject: [PATCH 05/12] chore: add new env variable --- .env | 1 + docker-compose.yml | 1 + src/Appwrite/Platform/Workers/Messaging.php | 15 +++++++++++++-- 3 files changed, 15 insertions(+), 2 deletions(-) diff --git a/.env b/.env index 8a7a53e6f4..f36a8e69eb 100644 --- a/.env +++ b/.env @@ -58,6 +58,7 @@ _APP_SMTP_USERNAME= _APP_SMTP_PASSWORD= _APP_SMS_PROVIDER=sms://username:password@mock _APP_SMS_FROM=+123456789 +_APP_SMS_DENY_LIST= _APP_STORAGE_LIMIT=30000000 _APP_STORAGE_PREVIEW_LIMIT=20000000 _APP_FUNCTIONS_SIZE_LIMIT=30000000 diff --git a/docker-compose.yml b/docker-compose.yml index 5c645e3bcd..b6f654bd6a 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -571,6 +571,7 @@ services: - _APP_REDIS_PASS - _APP_SMS_PROVIDER - _APP_SMS_FROM + - _APP_SMS_DENY_LIST - _APP_LOGGING_PROVIDER - _APP_LOGGING_CONFIG diff --git a/src/Appwrite/Platform/Workers/Messaging.php b/src/Appwrite/Platform/Workers/Messaging.php index 09e77c01ca..4fd6c26afc 100644 --- a/src/Appwrite/Platform/Workers/Messaging.php +++ b/src/Appwrite/Platform/Workers/Messaging.php @@ -53,10 +53,21 @@ class Messaging extends Action */ public function action(Message $message): void { - var_dump($message); - $payload = $message->getPayload() ?? []; + if (empty($payload['project'])) { + Console::error('Project not found'); + return; + } + + Console::log($payload['project']['$id']); + $denyList = App::getEnv('_APP_SMS_DENY_LIST', ''); + $denyList = explode(',', $denyList); + if (in_array($payload['project']['$id'], $denyList)) { + Console::error("Project is in the deny list. Skipping ..."); + return; + } + if (empty($payload)) { Console::error('Payload arg not found'); return; From 0a518cd47e51f3414769a9ed09f93cd29f4f124e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Matej=20Ba=C4=8Do?= Date: Mon, 29 Jan 2024 20:03:14 +0000 Subject: [PATCH 06/12] Fix failing tests --- app/controllers/api/account.php | 1 + app/controllers/shared/api.php | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/app/controllers/api/account.php b/app/controllers/api/account.php index 53168f0b9a..4ee18acaf6 100644 --- a/app/controllers/api/account.php +++ b/app/controllers/api/account.php @@ -2866,6 +2866,7 @@ App::post('/v1/account/verification/phone') ->desc('Create phone verification') ->groups(['api', 'account', 'auth']) ->label('scope', 'account') + ->label('auth.type', 'phone') ->label('event', 'users.[userId].verification.[tokenId].create') ->label('audits.event', 'verification.create') ->label('audits.resource', 'user/{response.userId}') diff --git a/app/controllers/shared/api.php b/app/controllers/shared/api.php index 41aa7f607d..cf99723586 100644 --- a/app/controllers/shared/api.php +++ b/app/controllers/shared/api.php @@ -365,7 +365,7 @@ App::init() break; default: - throw new Exception(Exception::USER_AUTH_METHOD_UNSUPPORTED, 'Unsupported authentication route'); + throw new Exception(Exception::USER_AUTH_METHOD_UNSUPPORTED, 'Unsupported authentication type: ' . $route->getLabel('auth.type', '')); break; } }); From 2ff7c5ac8e63d30cd93c79b03a4d1c65aaa41b5a Mon Sep 17 00:00:00 2001 From: Christy Jacob Date: Mon, 29 Jan 2024 20:07:17 +0000 Subject: [PATCH 07/12] chore: rename env variable --- .env | 2 +- docker-compose.yml | 2 +- src/Appwrite/Platform/Workers/Messaging.php | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.env b/.env index f36a8e69eb..31474bf0b6 100644 --- a/.env +++ b/.env @@ -58,7 +58,7 @@ _APP_SMTP_USERNAME= _APP_SMTP_PASSWORD= _APP_SMS_PROVIDER=sms://username:password@mock _APP_SMS_FROM=+123456789 -_APP_SMS_DENY_LIST= +_APP_SMS_PROJECTS_DENY_LIST= _APP_STORAGE_LIMIT=30000000 _APP_STORAGE_PREVIEW_LIMIT=20000000 _APP_FUNCTIONS_SIZE_LIMIT=30000000 diff --git a/docker-compose.yml b/docker-compose.yml index b6f654bd6a..395923681d 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -571,7 +571,7 @@ services: - _APP_REDIS_PASS - _APP_SMS_PROVIDER - _APP_SMS_FROM - - _APP_SMS_DENY_LIST + - _APP_SMS_PROJECTS_DENY_LIST - _APP_LOGGING_PROVIDER - _APP_LOGGING_CONFIG diff --git a/src/Appwrite/Platform/Workers/Messaging.php b/src/Appwrite/Platform/Workers/Messaging.php index 4fd6c26afc..dda96a01dc 100644 --- a/src/Appwrite/Platform/Workers/Messaging.php +++ b/src/Appwrite/Platform/Workers/Messaging.php @@ -61,7 +61,7 @@ class Messaging extends Action } Console::log($payload['project']['$id']); - $denyList = App::getEnv('_APP_SMS_DENY_LIST', ''); + $denyList = App::getEnv('_APP_SMS_PROJECTS_DENY_LIST', ''); $denyList = explode(',', $denyList); if (in_array($payload['project']['$id'], $denyList)) { Console::error("Project is in the deny list. Skipping ..."); From 1e966d6b2ef1c6d3c3ce396cd49b8444aba10f69 Mon Sep 17 00:00:00 2001 From: Christy Jacob Date: Mon, 29 Jan 2024 20:09:23 +0000 Subject: [PATCH 08/12] chore: rename env variable --- src/Appwrite/Platform/Workers/Messaging.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/Appwrite/Platform/Workers/Messaging.php b/src/Appwrite/Platform/Workers/Messaging.php index dda96a01dc..bd4d9afede 100644 --- a/src/Appwrite/Platform/Workers/Messaging.php +++ b/src/Appwrite/Platform/Workers/Messaging.php @@ -56,7 +56,7 @@ class Messaging extends Action $payload = $message->getPayload() ?? []; if (empty($payload['project'])) { - Console::error('Project not found'); + throw new Exception('Project not set in payload'); return; } From bc88197e0d234940cbbe563b4bafe293faa63664 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Matej=20Ba=C4=8Do?= Date: Mon, 29 Jan 2024 20:11:44 +0000 Subject: [PATCH 09/12] Add more abuse keys --- app/controllers/api/account.php | 6 +++--- src/Appwrite/Platform/Workers/Messaging.php | 3 +-- 2 files changed, 4 insertions(+), 5 deletions(-) diff --git a/app/controllers/api/account.php b/app/controllers/api/account.php index 4ee18acaf6..abf564d977 100644 --- a/app/controllers/api/account.php +++ b/app/controllers/api/account.php @@ -903,7 +903,7 @@ App::post('/v1/account/sessions/magic-url') ->label('sdk.response.type', Response::CONTENT_TYPE_JSON) ->label('sdk.response.model', Response::MODEL_TOKEN) ->label('abuse-limit', 10) - ->label('abuse-key', 'url:{url},email:{param-email}') + ->label('abuse-key', ['url:{url},email:{param-email}', 'ip:{ip}']) ->param('userId', '', new CustomId(), 'Unique Id. Choose a custom ID or generate a random ID with `ID.unique()`. Valid chars are a-z, A-Z, 0-9, period, hyphen, and underscore. Can\'t start with a special char. Max length is 36 chars.') ->param('email', '', new Email(), 'User email.') ->param('url', '', fn($clients) => new Host($clients), 'URL to redirect the user back to your app from the magic URL login. Only URLs from hostnames in your project platform list are allowed. This requirement helps to prevent an [open redirect](https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html) attack against your project API.', true, ['clients']) @@ -1237,7 +1237,7 @@ App::post('/v1/account/sessions/phone') ->label('sdk.response.type', Response::CONTENT_TYPE_JSON) ->label('sdk.response.model', Response::MODEL_TOKEN) ->label('abuse-limit', 10) - ->label('abuse-key', 'url:{url},phone:{param-phone}') + ->label('abuse-key', ['url:{url},phone:{param-phone}', 'ip:{ip}']) ->param('userId', '', new CustomId(), 'Unique Id. Choose a custom ID or generate a random ID with `ID.unique()`. Valid chars are a-z, A-Z, 0-9, period, hyphen, and underscore. Can\'t start with a special char. Max length is 36 chars.') ->param('phone', '', new Phone(), 'Phone number. Format this number with a leading \'+\' and a country code, e.g., +16175551212.') ->inject('request') @@ -2878,7 +2878,7 @@ App::post('/v1/account/verification/phone') ->label('sdk.response.type', Response::CONTENT_TYPE_JSON) ->label('sdk.response.model', Response::MODEL_TOKEN) ->label('abuse-limit', 10) - ->label('abuse-key', 'userId:{userId}') + ->label('abuse-key', ['url:{url},userId:{userId}', 'ip:{ip}']) ->inject('request') ->inject('response') ->inject('user') diff --git a/src/Appwrite/Platform/Workers/Messaging.php b/src/Appwrite/Platform/Workers/Messaging.php index 4fd6c26afc..340438217c 100644 --- a/src/Appwrite/Platform/Workers/Messaging.php +++ b/src/Appwrite/Platform/Workers/Messaging.php @@ -56,8 +56,7 @@ class Messaging extends Action $payload = $message->getPayload() ?? []; if (empty($payload['project'])) { - Console::error('Project not found'); - return; + throw new Exception('Project not found', 500); } Console::log($payload['project']['$id']); From 7acdaa5978f2b6e9a453e568754ef8f579ad6770 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Matej=20Ba=C4=8Do?= Date: Mon, 29 Jan 2024 20:24:21 +0000 Subject: [PATCH 10/12] PR review changes --- app/controllers/api/account.php | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/app/controllers/api/account.php b/app/controllers/api/account.php index abf564d977..ed13fe79f7 100644 --- a/app/controllers/api/account.php +++ b/app/controllers/api/account.php @@ -903,7 +903,7 @@ App::post('/v1/account/sessions/magic-url') ->label('sdk.response.type', Response::CONTENT_TYPE_JSON) ->label('sdk.response.model', Response::MODEL_TOKEN) ->label('abuse-limit', 10) - ->label('abuse-key', ['url:{url},email:{param-email}', 'ip:{ip}']) + ->label('abuse-key', ['url:{url},email:{param-email}', 'url:{url},ip:{ip}']) ->param('userId', '', new CustomId(), 'Unique Id. Choose a custom ID or generate a random ID with `ID.unique()`. Valid chars are a-z, A-Z, 0-9, period, hyphen, and underscore. Can\'t start with a special char. Max length is 36 chars.') ->param('email', '', new Email(), 'User email.') ->param('url', '', fn($clients) => new Host($clients), 'URL to redirect the user back to your app from the magic URL login. Only URLs from hostnames in your project platform list are allowed. This requirement helps to prevent an [open redirect](https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html) attack against your project API.', true, ['clients']) @@ -1237,7 +1237,7 @@ App::post('/v1/account/sessions/phone') ->label('sdk.response.type', Response::CONTENT_TYPE_JSON) ->label('sdk.response.model', Response::MODEL_TOKEN) ->label('abuse-limit', 10) - ->label('abuse-key', ['url:{url},phone:{param-phone}', 'ip:{ip}']) + ->label('abuse-key', ['url:{url},phone:{param-phone}', 'url:{url},ip:{ip}']) ->param('userId', '', new CustomId(), 'Unique Id. Choose a custom ID or generate a random ID with `ID.unique()`. Valid chars are a-z, A-Z, 0-9, period, hyphen, and underscore. Can\'t start with a special char. Max length is 36 chars.') ->param('phone', '', new Phone(), 'Phone number. Format this number with a leading \'+\' and a country code, e.g., +16175551212.') ->inject('request') @@ -2391,7 +2391,7 @@ App::post('/v1/account/recovery') ->label('sdk.response.type', Response::CONTENT_TYPE_JSON) ->label('sdk.response.model', Response::MODEL_TOKEN) ->label('abuse-limit', 10) - ->label('abuse-key', ['url:{url},email:{param-email}', 'ip:{ip}']) + ->label('abuse-key', ['url:{url},email:{param-email}', 'url:{url},ip:{ip}']) ->param('email', '', new Email(), 'User email.') ->param('url', '', fn ($clients) => new Host($clients), 'URL to redirect the user back to your app from the recovery email. Only URLs from hostnames in your project platform list are allowed. This requirement helps to prevent an [open redirect](https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html) attack against your project API.', false, ['clients']) ->inject('request') @@ -2878,7 +2878,7 @@ App::post('/v1/account/verification/phone') ->label('sdk.response.type', Response::CONTENT_TYPE_JSON) ->label('sdk.response.model', Response::MODEL_TOKEN) ->label('abuse-limit', 10) - ->label('abuse-key', ['url:{url},userId:{userId}', 'ip:{ip}']) + ->label('abuse-key', ['url:{url},userId:{userId}', 'url:{url},ip:{ip}']) ->inject('request') ->inject('response') ->inject('user') From c192e48c48890312ac3ff382a164557f93b410c3 Mon Sep 17 00:00:00 2001 From: Christy Jacob Date: Mon, 29 Jan 2024 20:25:23 +0000 Subject: [PATCH 11/12] chore: remove return --- src/Appwrite/Platform/Workers/Messaging.php | 1 - 1 file changed, 1 deletion(-) diff --git a/src/Appwrite/Platform/Workers/Messaging.php b/src/Appwrite/Platform/Workers/Messaging.php index bd4d9afede..92f9e8fdf4 100644 --- a/src/Appwrite/Platform/Workers/Messaging.php +++ b/src/Appwrite/Platform/Workers/Messaging.php @@ -57,7 +57,6 @@ class Messaging extends Action if (empty($payload['project'])) { throw new Exception('Project not set in payload'); - return; } Console::log($payload['project']['$id']); From 738a696ca9ede642be49bdb885ff135955fb51ef Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Matej=20Ba=C4=8Do?= Date: Mon, 29 Jan 2024 20:38:01 +0000 Subject: [PATCH 12/12] Add proejct ID abuse protection --- app/controllers/api/account.php | 8 ++++---- app/controllers/shared/api.php | 1 + 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/app/controllers/api/account.php b/app/controllers/api/account.php index ed13fe79f7..2209459d3e 100644 --- a/app/controllers/api/account.php +++ b/app/controllers/api/account.php @@ -902,8 +902,8 @@ App::post('/v1/account/sessions/magic-url') ->label('sdk.response.code', Response::STATUS_CODE_CREATED) ->label('sdk.response.type', Response::CONTENT_TYPE_JSON) ->label('sdk.response.model', Response::MODEL_TOKEN) - ->label('abuse-limit', 10) - ->label('abuse-key', ['url:{url},email:{param-email}', 'url:{url},ip:{ip}']) + ->label('abuse-limit', 60) + ->label('abuse-key', ['url:{url},email:{param-email}', 'url:{url},ip:{ip}', 'url:{url},projectId:{projectId}']) ->param('userId', '', new CustomId(), 'Unique Id. Choose a custom ID or generate a random ID with `ID.unique()`. Valid chars are a-z, A-Z, 0-9, period, hyphen, and underscore. Can\'t start with a special char. Max length is 36 chars.') ->param('email', '', new Email(), 'User email.') ->param('url', '', fn($clients) => new Host($clients), 'URL to redirect the user back to your app from the magic URL login. Only URLs from hostnames in your project platform list are allowed. This requirement helps to prevent an [open redirect](https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html) attack against your project API.', true, ['clients']) @@ -1237,7 +1237,7 @@ App::post('/v1/account/sessions/phone') ->label('sdk.response.type', Response::CONTENT_TYPE_JSON) ->label('sdk.response.model', Response::MODEL_TOKEN) ->label('abuse-limit', 10) - ->label('abuse-key', ['url:{url},phone:{param-phone}', 'url:{url},ip:{ip}']) + ->label('abuse-key', ['url:{url},phone:{param-phone}', 'url:{url},ip:{ip}', 'url:{url},projectId:{projectId}']) ->param('userId', '', new CustomId(), 'Unique Id. Choose a custom ID or generate a random ID with `ID.unique()`. Valid chars are a-z, A-Z, 0-9, period, hyphen, and underscore. Can\'t start with a special char. Max length is 36 chars.') ->param('phone', '', new Phone(), 'Phone number. Format this number with a leading \'+\' and a country code, e.g., +16175551212.') ->inject('request') @@ -2878,7 +2878,7 @@ App::post('/v1/account/verification/phone') ->label('sdk.response.type', Response::CONTENT_TYPE_JSON) ->label('sdk.response.model', Response::MODEL_TOKEN) ->label('abuse-limit', 10) - ->label('abuse-key', ['url:{url},userId:{userId}', 'url:{url},ip:{ip}']) + ->label('abuse-key', ['url:{url},userId:{userId}', 'url:{url},ip:{ip}', 'url:{url},projectId:{projectId}']) ->inject('request') ->inject('response') ->inject('user') diff --git a/app/controllers/shared/api.php b/app/controllers/shared/api.php index cf99723586..df6ec002cb 100644 --- a/app/controllers/shared/api.php +++ b/app/controllers/shared/api.php @@ -177,6 +177,7 @@ App::init() $end = $request->getContentRangeEnd(); $timeLimit = new TimeLimit($abuseKey, $route->getLabel('abuse-limit', 0), $route->getLabel('abuse-time', 3600), $dbForProject); $timeLimit + ->setParam('{projectId}', $project->getId()) ->setParam('{userId}', $user->getId()) ->setParam('{userAgent}', $request->getUserAgent('')) ->setParam('{ip}', $request->getIP())