From e8d83739221e03f3672a967ba6c28c036d71f7f0 Mon Sep 17 00:00:00 2001 From: Damodar Lohani Date: Thu, 15 Jan 2026 12:59:30 +0000 Subject: [PATCH 1/2] Fix: phone auth limit --- app/controllers/api/account.php | 51 ++++++------------- app/controllers/api/teams.php | 26 +++------- .../Http/Account/MFA/Challenges/Create.php | 26 +++------- 3 files changed, 32 insertions(+), 71 deletions(-) diff --git a/app/controllers/api/account.php b/app/controllers/api/account.php index bcea3387a2..86ed81056f 100644 --- a/app/controllers/api/account.php +++ b/app/controllers/api/account.php @@ -35,7 +35,6 @@ use Appwrite\Utopia\Request; use Appwrite\Utopia\Response; use libphonenumber\PhoneNumberUtil; use MaxMind\Db\Reader; -use Utopia\Abuse\Abuse; use Utopia\App; use Utopia\Audit\Audit; use Utopia\Auth\Hashes\Sha; @@ -2908,26 +2907,17 @@ App::post('/v1/account/tokens/phone') ->setRecipients([$phone]) ->setProviderType(MESSAGE_TYPE_SMS); - if (isset($plan['authPhone'])) { - $timelimit = $timelimit('organization:{organizationId}', $plan['authPhone'], 30 * 24 * 60 * 60); // 30 days - $timelimit - ->setParam('{organizationId}', $project->getAttribute('teamId')); + $helper = PhoneNumberUtil::getInstance(); + $countryCode = $helper->parse($phone)->getCountryCode(); - $abuse = new Abuse($timelimit); - if ($abuse->check() && System::getEnv('_APP_OPTIONS_ABUSE', 'enabled') === 'enabled') { - $helper = PhoneNumberUtil::getInstance(); - $countryCode = $helper->parse($phone)->getCountryCode(); - - if (!empty($countryCode)) { - $queueForStatsUsage - ->addMetric(str_replace('{countryCode}', $countryCode, METRIC_AUTH_METHOD_PHONE_COUNTRY_CODE), 1); - } - } + if (!empty($countryCode)) { $queueForStatsUsage - ->addMetric(METRIC_AUTH_METHOD_PHONE, 1) - ->setProject($project) - ->trigger(); + ->addMetric(str_replace('{countryCode}', $countryCode, METRIC_AUTH_METHOD_PHONE_COUNTRY_CODE), 1); } + $queueForStatsUsage + ->addMetric(METRIC_AUTH_METHOD_PHONE, 1) + ->setProject($project) + ->trigger(); } $token->setAttribute('secret', $secret); @@ -4244,26 +4234,17 @@ App::post('/v1/account/verifications/phone') ->setRecipients([$user->getAttribute('phone')]) ->setProviderType(MESSAGE_TYPE_SMS); - if (isset($plan['authPhone'])) { - $timelimit = $timelimit('organization:{organizationId}', $plan['authPhone'], 30 * 24 * 60 * 60); // 30 days - $timelimit - ->setParam('{organizationId}', $project->getAttribute('teamId')); + $helper = PhoneNumberUtil::getInstance(); + $countryCode = $helper->parse($phone)->getCountryCode(); - $abuse = new Abuse($timelimit); - if ($abuse->check() && System::getEnv('_APP_OPTIONS_ABUSE', 'enabled') === 'enabled') { - $helper = PhoneNumberUtil::getInstance(); - $countryCode = $helper->parse($phone)->getCountryCode(); - - if (!empty($countryCode)) { - $queueForStatsUsage - ->addMetric(str_replace('{countryCode}', $countryCode, METRIC_AUTH_METHOD_PHONE_COUNTRY_CODE), 1); - } - } + if (!empty($countryCode)) { $queueForStatsUsage - ->addMetric(METRIC_AUTH_METHOD_PHONE, 1) - ->setProject($project) - ->trigger(); + ->addMetric(str_replace('{countryCode}', $countryCode, METRIC_AUTH_METHOD_PHONE_COUNTRY_CODE), 1); } + $queueForStatsUsage + ->addMetric(METRIC_AUTH_METHOD_PHONE, 1) + ->setProject($project) + ->trigger(); } $verification->setAttribute('secret', $secret); diff --git a/app/controllers/api/teams.php b/app/controllers/api/teams.php index aa67a90885..29bb79f6b2 100644 --- a/app/controllers/api/teams.php +++ b/app/controllers/api/teams.php @@ -25,7 +25,6 @@ use Appwrite\Utopia\Request; use Appwrite\Utopia\Response; use libphonenumber\PhoneNumberUtil; use MaxMind\Db\Reader; -use Utopia\Abuse\Abuse; use Utopia\App; use Utopia\Audit\Audit; use Utopia\Auth\Proofs\Password; @@ -801,26 +800,17 @@ App::post('/v1/teams/:teamId/memberships') ->setRecipients([$phone]) ->setProviderType('SMS'); - if (isset($plan['authPhone'])) { - $timelimit = $timelimit('organization:{organizationId}', $plan['authPhone'], 30 * 24 * 60 * 60); // 30 days - $timelimit - ->setParam('{organizationId}', $project->getAttribute('teamId')); + $helper = PhoneNumberUtil::getInstance(); + $countryCode = $helper->parse($phone)->getCountryCode(); - $abuse = new Abuse($timelimit); - if ($abuse->check() && System::getEnv('_APP_OPTIONS_ABUSE', 'enabled') === 'enabled') { - $helper = PhoneNumberUtil::getInstance(); - $countryCode = $helper->parse($phone)->getCountryCode(); - - if (!empty($countryCode)) { - $queueForStatsUsage - ->addMetric(str_replace('{countryCode}', $countryCode, METRIC_AUTH_METHOD_PHONE_COUNTRY_CODE), 1); - } - } + if (!empty($countryCode)) { $queueForStatsUsage - ->addMetric(METRIC_AUTH_METHOD_PHONE, 1) - ->setProject($project) - ->trigger(); + ->addMetric(str_replace('{countryCode}', $countryCode, METRIC_AUTH_METHOD_PHONE_COUNTRY_CODE), 1); } + $queueForStatsUsage + ->addMetric(METRIC_AUTH_METHOD_PHONE, 1) + ->setProject($project) + ->trigger(); } } diff --git a/src/Appwrite/Platform/Modules/Account/Http/Account/MFA/Challenges/Create.php b/src/Appwrite/Platform/Modules/Account/Http/Account/MFA/Challenges/Create.php index 4dc50a8ec7..bc9ba85251 100644 --- a/src/Appwrite/Platform/Modules/Account/Http/Account/MFA/Challenges/Create.php +++ b/src/Appwrite/Platform/Modules/Account/Http/Account/MFA/Challenges/Create.php @@ -18,7 +18,6 @@ use Appwrite\Template\Template; use Appwrite\Utopia\Request; use Appwrite\Utopia\Response; use libphonenumber\PhoneNumberUtil; -use Utopia\Abuse\Abuse; use Utopia\Auth\Proofs\Code as ProofsCode; use Utopia\Auth\Proofs\Token as ProofsToken; use Utopia\Database\Database; @@ -196,26 +195,17 @@ class Create extends Action ->setRecipients([$phone]) ->setProviderType(MESSAGE_TYPE_SMS); - if (isset($plan['authPhone'])) { - $timelimit = $timelimit('organization:{organizationId}', $plan['authPhone'], 30 * 24 * 60 * 60); // 30 days - $timelimit - ->setParam('{organizationId}', $project->getAttribute('teamId')); + $helper = PhoneNumberUtil::getInstance(); + $countryCode = $helper->parse($phone)->getCountryCode(); - $abuse = new Abuse($timelimit); - if ($abuse->check() && System::getEnv('_APP_OPTIONS_ABUSE', 'enabled') === 'enabled') { - $helper = PhoneNumberUtil::getInstance(); - $countryCode = $helper->parse($phone)->getCountryCode(); - - if (!empty($countryCode)) { - $queueForStatsUsage - ->addMetric(str_replace('{countryCode}', $countryCode, METRIC_AUTH_METHOD_PHONE_COUNTRY_CODE), 1); - } - } + if (!empty($countryCode)) { $queueForStatsUsage - ->addMetric(METRIC_AUTH_METHOD_PHONE, 1) - ->setProject($project) - ->trigger(); + ->addMetric(str_replace('{countryCode}', $countryCode, METRIC_AUTH_METHOD_PHONE_COUNTRY_CODE), 1); } + $queueForStatsUsage + ->addMetric(METRIC_AUTH_METHOD_PHONE, 1) + ->setProject($project) + ->trigger(); break; case Type::EMAIL: if (empty(System::getEnv('_APP_SMTP_HOST'))) { From 991f5ff9fd8a392e441830e116b064c2cdf38ec4 Mon Sep 17 00:00:00 2001 From: Damodar Lohani Date: Thu, 15 Jan 2026 13:19:34 +0000 Subject: [PATCH 2/2] Catch exception --- app/controllers/api/account.php | 25 +++++++++++++------ app/controllers/api/teams.php | 13 +++++++--- .../Http/Account/MFA/Challenges/Create.php | 13 +++++++--- 3 files changed, 35 insertions(+), 16 deletions(-) diff --git a/app/controllers/api/account.php b/app/controllers/api/account.php index 86ed81056f..ce655bfe18 100644 --- a/app/controllers/api/account.php +++ b/app/controllers/api/account.php @@ -33,6 +33,7 @@ use Appwrite\Utopia\Database\Validator\CustomId; use Appwrite\Utopia\Database\Validator\Queries\Identities; use Appwrite\Utopia\Request; use Appwrite\Utopia\Response; +use libphonenumber\NumberParseException; use libphonenumber\PhoneNumberUtil; use MaxMind\Db\Reader; use Utopia\App; @@ -2908,11 +2909,15 @@ App::post('/v1/account/tokens/phone') ->setProviderType(MESSAGE_TYPE_SMS); $helper = PhoneNumberUtil::getInstance(); - $countryCode = $helper->parse($phone)->getCountryCode(); + try { + $countryCode = $helper->parse($phone)->getCountryCode(); - if (!empty($countryCode)) { - $queueForStatsUsage - ->addMetric(str_replace('{countryCode}', $countryCode, METRIC_AUTH_METHOD_PHONE_COUNTRY_CODE), 1); + if (!empty($countryCode)) { + $queueForStatsUsage + ->addMetric(str_replace('{countryCode}', $countryCode, METRIC_AUTH_METHOD_PHONE_COUNTRY_CODE), 1); + } + } catch (NumberParseException $e) { + // Ignore invalid phone number for country code stats } $queueForStatsUsage ->addMetric(METRIC_AUTH_METHOD_PHONE, 1) @@ -4235,11 +4240,15 @@ App::post('/v1/account/verifications/phone') ->setProviderType(MESSAGE_TYPE_SMS); $helper = PhoneNumberUtil::getInstance(); - $countryCode = $helper->parse($phone)->getCountryCode(); + try { + $countryCode = $helper->parse($phone)->getCountryCode(); - if (!empty($countryCode)) { - $queueForStatsUsage - ->addMetric(str_replace('{countryCode}', $countryCode, METRIC_AUTH_METHOD_PHONE_COUNTRY_CODE), 1); + if (!empty($countryCode)) { + $queueForStatsUsage + ->addMetric(str_replace('{countryCode}', $countryCode, METRIC_AUTH_METHOD_PHONE_COUNTRY_CODE), 1); + } + } catch (NumberParseException $e) { + // Ignore invalid phone number for country code stats } $queueForStatsUsage ->addMetric(METRIC_AUTH_METHOD_PHONE, 1) diff --git a/app/controllers/api/teams.php b/app/controllers/api/teams.php index 29bb79f6b2..a68939daa3 100644 --- a/app/controllers/api/teams.php +++ b/app/controllers/api/teams.php @@ -23,6 +23,7 @@ use Appwrite\Utopia\Database\Validator\Queries\Memberships; use Appwrite\Utopia\Database\Validator\Queries\Teams; use Appwrite\Utopia\Request; use Appwrite\Utopia\Response; +use libphonenumber\NumberParseException; use libphonenumber\PhoneNumberUtil; use MaxMind\Db\Reader; use Utopia\App; @@ -801,11 +802,15 @@ App::post('/v1/teams/:teamId/memberships') ->setProviderType('SMS'); $helper = PhoneNumberUtil::getInstance(); - $countryCode = $helper->parse($phone)->getCountryCode(); + try { + $countryCode = $helper->parse($phone)->getCountryCode(); - if (!empty($countryCode)) { - $queueForStatsUsage - ->addMetric(str_replace('{countryCode}', $countryCode, METRIC_AUTH_METHOD_PHONE_COUNTRY_CODE), 1); + if (!empty($countryCode)) { + $queueForStatsUsage + ->addMetric(str_replace('{countryCode}', $countryCode, METRIC_AUTH_METHOD_PHONE_COUNTRY_CODE), 1); + } + } catch (NumberParseException $e) { + // Ignore invalid phone number for country code stats } $queueForStatsUsage ->addMetric(METRIC_AUTH_METHOD_PHONE, 1) diff --git a/src/Appwrite/Platform/Modules/Account/Http/Account/MFA/Challenges/Create.php b/src/Appwrite/Platform/Modules/Account/Http/Account/MFA/Challenges/Create.php index bc9ba85251..517963bbda 100644 --- a/src/Appwrite/Platform/Modules/Account/Http/Account/MFA/Challenges/Create.php +++ b/src/Appwrite/Platform/Modules/Account/Http/Account/MFA/Challenges/Create.php @@ -17,6 +17,7 @@ use Appwrite\SDK\Response as SDKResponse; use Appwrite\Template\Template; use Appwrite\Utopia\Request; use Appwrite\Utopia\Response; +use libphonenumber\NumberParseException; use libphonenumber\PhoneNumberUtil; use Utopia\Auth\Proofs\Code as ProofsCode; use Utopia\Auth\Proofs\Token as ProofsToken; @@ -196,11 +197,15 @@ class Create extends Action ->setProviderType(MESSAGE_TYPE_SMS); $helper = PhoneNumberUtil::getInstance(); - $countryCode = $helper->parse($phone)->getCountryCode(); + try { + $countryCode = $helper->parse($phone)->getCountryCode(); - if (!empty($countryCode)) { - $queueForStatsUsage - ->addMetric(str_replace('{countryCode}', $countryCode, METRIC_AUTH_METHOD_PHONE_COUNTRY_CODE), 1); + if (!empty($countryCode)) { + $queueForStatsUsage + ->addMetric(str_replace('{countryCode}', $countryCode, METRIC_AUTH_METHOD_PHONE_COUNTRY_CODE), 1); + } + } catch (NumberParseException $e) { + // Ignore invalid phone number for country code stats } $queueForStatsUsage ->addMetric(METRIC_AUTH_METHOD_PHONE, 1)