new policy protect email or sms api

steemit · Feb 11, 2024 · b2b378c · b2b378c
1 parent ceb1503
commit b2b378c
Show file tree

Hide file tree

Showing 4 changed files with 61 additions and 0 deletions.
diff --git a/.env.example b/.env.example
@@ -33,3 +33,7 @@ HIGH_FREQUENCY_TIME_RANGE=2
 HIGH_FREQUENCY_COUNT=10
 CREATOR_INFO=steem|steemcurator01|steemcurator02|booming01|booming02|booming03|booming04
 GOOGLE_ANALYTICS_ID=
+SMS_SEND_TIME_WINDOW=600
+SMS_SEND_THRESHOLD_IN_TIME_WINDOW=1
+EMAIL_SEND_TIME_WINDOW=600
+EMAIL_SEND_THRESHOLD_IN_TIME_WINDOW=1
diff --git a/db/migrations/20240209-add-index-of-created_at-in-actions-table.js b/db/migrations/20240209-add-index-of-created_at-in-actions-table.js
@@ -0,0 +1,8 @@
+module.exports = {
+  up: async (queryInterface, Sequelize) => {
+    await queryInterface.addIndex('actions', ['created_at'], {
+        name: 'idx_created_at',
+    })
+  },
+  down: queryInterface => queryInterface.removeIndex('actions', 'idx_created_at'),
+};
diff --git a/helpers/database.js b/helpers/database.js
@@ -139,6 +139,33 @@ async function actionLimitNew(ip, action = 'default', ipLimit = 32) {
     }
 }
 
+/**
+ * protect email or sms api
+ * in {timeWindow}, only {limitCount} are allowed.
+ * -- action = 'request_email_code' | 'send_sms'
+ * -- timeWindow
+ * -- limitCount
+ */
+async function emailOrSmsActionLimit(action, timeWindow = 300, limitCount = 1) {
+    const created_at = {
+        [Op.gte]: moment()
+            .subtract(timeWindow, 's')
+            .toDate(),
+    };
+    const promises = [
+        db.actions.count({
+            where: { created_at, action: { [Op.eq]: action } },
+        }),
+    ];
+    const [actions] = await Promise.all(promises);
+    if (actions > limitCount) {
+        throw new ApiError({
+            type: 'error_api_auth_code_request_frequently',
+            field: { action },
+        });
+    }
+}
+
 /**
  * find last send sms action by country number
  */
@@ -209,4 +236,5 @@ module.exports = {
     deleteEmailRecord,
     findLastSendSmsByCountryNumber,
     countTryNumber,
+    emailOrSmsActionLimit,
 };
diff --git a/routes/apiHandlers.js b/routes/apiHandlers.js
@@ -917,6 +917,18 @@ async function handleRequestEmailCode(ip, email, log, locale) {
 
     await database.actionLimitNew(ip, 'request_email_code');
 
+    const timeWindow = process.env.EMAIL_SEND_TIME_WINDOW
+        ? parseInt(process.env.EMAIL_SEND_TIME_WINDOW, 10)
+        : 300;
+    const limitCount = process.env.EMAIL_SEND_THRESHOLD_IN_TIME_WINDOW
+        ? parseInt(process.env.EMAIL_SEND_THRESHOLD_IN_TIME_WINDOW, 10)
+        : 1;
+    await database.emailOrSmsActionLimit(
+        'request_email_code',
+        timeWindow,
+        limitCount
+    );
+
     await database.logAction({
         action: 'request_email_code',
         ip,
@@ -1361,6 +1373,14 @@ async function handleRequestSmsNew(req) {
         }
     }
 
+    const timeWindow = process.env.SMS_SEND_TIME_WINDOW
+        ? parseInt(process.env.SMS_SEND_TIME_WINDOW, 10)
+        : 300;
+    const limitCount = process.env.SMS_SEND_THRESHOLD_IN_TIME_WINDOW
+        ? parseInt(process.env.SMS_SEND_THRESHOLD_IN_TIME_WINDOW, 10)
+        : 1;
+    await database.emailOrSmsActionLimit('send_sms', timeWindow, limitCount);
+
     await database.logAction({
         action: 'send_sms',
         ip: req.ip,
@@ -1369,6 +1389,7 @@ async function handleRequestSmsNew(req) {
             countryNumber,
         },
     });
+
     services.recordSmsTracker({
         sendType: 'before_send_sms',
         countryCode: req.body.prefix,