2019-05-09 18:54:39 +12:00
|
|
|
<?php
|
2019-10-01 17:57:41 +13:00
|
|
|
|
2021-01-12 10:52:05 +13:00
|
|
|
use Appwrite\Auth\Auth;
|
2022-05-26 23:51:08 +12:00
|
|
|
use Appwrite\Event\Audit;
|
2022-06-22 22:51:49 +12:00
|
|
|
use Appwrite\Event\Database as EventDatabase;
|
2022-05-26 23:51:08 +12:00
|
|
|
use Appwrite\Event\Delete;
|
2022-04-04 18:30:07 +12:00
|
|
|
use Appwrite\Event\Event;
|
2022-05-26 23:51:08 +12:00
|
|
|
use Appwrite\Event\Mail;
|
2021-06-30 23:36:58 +12:00
|
|
|
use Appwrite\Messaging\Adapter\Realtime;
|
2022-05-26 23:51:08 +12:00
|
|
|
use Appwrite\Stats\Stats;
|
|
|
|
|
use Appwrite\Utopia\Response;
|
|
|
|
|
use Appwrite\Utopia\Request;
|
2020-06-29 05:31:21 +12:00
|
|
|
use Utopia\App;
|
2022-02-07 01:49:01 +13:00
|
|
|
use Appwrite\Extend\Exception;
|
2019-11-30 07:23:29 +13:00
|
|
|
use Utopia\Abuse\Abuse;
|
|
|
|
|
use Utopia\Abuse\Adapters\TimeLimit;
|
2022-05-26 23:51:08 +12:00
|
|
|
use Utopia\Database\Database;
|
2021-10-08 04:35:17 +13:00
|
|
|
use Utopia\Database\Document;
|
2022-01-19 00:05:04 +13:00
|
|
|
use Utopia\Database\Validator\Authorization;
|
2022-05-26 23:51:08 +12:00
|
|
|
use Utopia\Registry\Registry;
|
2019-11-30 07:23:29 +13:00
|
|
|
|
2022-06-22 22:51:49 +12:00
|
|
|
App::init(function (App $utopia, Request $request, Response $response, Document $project, Document $user, Event $events, Audit $audits, Mail $mails, Stats $usage, Delete $deletes, EventDatabase $database, Database $dbForProject, string $mode) {
|
2021-01-06 01:22:20 +13:00
|
|
|
|
2019-11-30 07:23:29 +13:00
|
|
|
$route = $utopia->match($request);
|
|
|
|
|
|
2021-06-21 01:59:36 +12:00
|
|
|
if ($project->isEmpty() && $route->getLabel('abuse-limit', 0) > 0) { // Abuse limit requires an active project scope
|
2022-02-07 01:49:01 +13:00
|
|
|
throw new Exception('Missing or unknown project ID', 400, Exception::PROJECT_UNKNOWN);
|
2020-06-18 08:08:55 +12:00
|
|
|
}
|
|
|
|
|
|
2021-06-07 17:17:29 +12:00
|
|
|
/*
|
|
|
|
|
* Abuse Check
|
|
|
|
|
*/
|
2021-11-09 23:21:24 +13:00
|
|
|
$abuseKeyLabel = $route->getLabel('abuse-key', 'url:{url},ip:{ip}');
|
|
|
|
|
$timeLimitArray = [];
|
2021-06-07 17:17:29 +12:00
|
|
|
|
2021-11-24 22:57:25 +13:00
|
|
|
$abuseKeyLabel = (!is_array($abuseKeyLabel)) ? [$abuseKeyLabel] : $abuseKeyLabel;
|
2021-06-07 17:17:29 +12:00
|
|
|
|
2021-11-10 03:07:10 +13:00
|
|
|
foreach ($abuseKeyLabel as $abuseKey) {
|
2022-01-04 01:44:28 +13:00
|
|
|
$timeLimit = new TimeLimit($abuseKey, $route->getLabel('abuse-limit', 0), $route->getLabel('abuse-time', 3600), $dbForProject);
|
2021-11-09 23:21:24 +13:00
|
|
|
$timeLimit
|
|
|
|
|
->setParam('{userId}', $user->getId())
|
|
|
|
|
->setParam('{userAgent}', $request->getUserAgent(''))
|
|
|
|
|
->setParam('{ip}', $request->getIP())
|
2022-05-24 02:54:50 +12:00
|
|
|
->setParam('{url}', $request->getHostname() . $route->getPath());
|
2021-11-09 23:21:24 +13:00
|
|
|
$timeLimitArray[] = $timeLimit;
|
2021-06-07 17:17:29 +12:00
|
|
|
}
|
|
|
|
|
|
2021-11-10 03:52:32 +13:00
|
|
|
$closestLimit = null;
|
2021-06-07 17:17:29 +12:00
|
|
|
|
2021-12-11 06:52:33 +13:00
|
|
|
$roles = Authorization::getRoles();
|
|
|
|
|
$isPrivilegedUser = Auth::isPrivilegedUser($roles);
|
|
|
|
|
$isAppUser = Auth::isAppUser($roles);
|
2021-06-07 17:17:29 +12:00
|
|
|
|
2021-11-09 23:21:24 +13:00
|
|
|
foreach ($timeLimitArray as $timeLimit) {
|
|
|
|
|
foreach ($request->getParams() as $key => $value) { // Set request params as potential abuse keys
|
2022-05-24 02:54:50 +12:00
|
|
|
if (!empty($value)) {
|
|
|
|
|
$timeLimit->setParam('{param-' . $key . '}', (\is_array($value)) ? \json_encode($value) : $value);
|
2021-11-09 23:21:24 +13:00
|
|
|
}
|
2021-06-24 03:11:23 +12:00
|
|
|
}
|
2021-06-07 17:17:29 +12:00
|
|
|
|
2021-11-09 23:21:24 +13:00
|
|
|
$abuse = new Abuse($timeLimit);
|
2021-06-07 17:17:29 +12:00
|
|
|
|
2021-11-10 03:56:25 +13:00
|
|
|
if ($timeLimit->limit() && ($timeLimit->remaining() < $closestLimit || is_null($closestLimit))) {
|
2021-11-10 03:07:10 +13:00
|
|
|
$closestLimit = $timeLimit->remaining();
|
2021-11-09 23:21:24 +13:00
|
|
|
$response
|
|
|
|
|
->addHeader('X-RateLimit-Limit', $timeLimit->limit())
|
|
|
|
|
->addHeader('X-RateLimit-Remaining', $timeLimit->remaining())
|
|
|
|
|
->addHeader('X-RateLimit-Reset', $timeLimit->time() + $route->getLabel('abuse-time', 3600))
|
|
|
|
|
;
|
|
|
|
|
}
|
2021-06-07 17:17:29 +12:00
|
|
|
|
2022-05-24 02:54:50 +12:00
|
|
|
if (
|
|
|
|
|
(App::getEnv('_APP_OPTIONS_ABUSE', 'enabled') !== 'disabled' // Route is rate-limited
|
|
|
|
|
&& $abuse->check()) // Abuse is not disabled
|
|
|
|
|
&& (!$isAppUser && !$isPrivilegedUser)
|
|
|
|
|
) { // User is not an admin or API key
|
2022-02-07 10:27:16 +13:00
|
|
|
throw new Exception('Too many requests', 429, Exception::GENERAL_RATE_LIMIT_EXCEEDED);
|
2021-11-09 23:21:24 +13:00
|
|
|
}
|
2021-06-07 17:17:29 +12:00
|
|
|
}
|
2021-01-06 01:22:20 +13:00
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Background Jobs
|
|
|
|
|
*/
|
2022-04-04 18:30:07 +12:00
|
|
|
$events
|
|
|
|
|
->setEvent($route->getLabel('event', ''))
|
|
|
|
|
->setProject($project)
|
|
|
|
|
->setUser($user)
|
|
|
|
|
;
|
|
|
|
|
|
2022-04-14 00:39:31 +12:00
|
|
|
$mails
|
|
|
|
|
->setProject($project)
|
|
|
|
|
->setUser($user)
|
2021-01-06 01:22:20 +13:00
|
|
|
;
|
|
|
|
|
|
|
|
|
|
$audits
|
2022-04-14 00:39:31 +12:00
|
|
|
->setMode($mode)
|
|
|
|
|
->setUserAgent($request->getUserAgent(''))
|
|
|
|
|
->setIP($request->getIP())
|
2022-04-04 18:30:07 +12:00
|
|
|
->setEvent($route->getLabel('event', ''))
|
|
|
|
|
->setProject($project)
|
|
|
|
|
->setUser($user)
|
2021-01-06 01:22:20 +13:00
|
|
|
;
|
|
|
|
|
|
|
|
|
|
$usage
|
|
|
|
|
->setParam('projectId', $project->getId())
|
|
|
|
|
->setParam('httpRequest', 1)
|
2022-05-24 02:54:50 +12:00
|
|
|
->setParam('httpUrl', $request->getHostname() . $request->getURI())
|
2021-01-06 01:22:20 +13:00
|
|
|
->setParam('httpMethod', $request->getMethod())
|
2021-08-24 21:51:45 +12:00
|
|
|
->setParam('httpPath', $route->getPath())
|
2021-01-06 01:22:20 +13:00
|
|
|
->setParam('networkRequestSize', 0)
|
|
|
|
|
->setParam('networkResponseSize', 0)
|
|
|
|
|
->setParam('storage', 0)
|
|
|
|
|
;
|
|
|
|
|
|
2022-04-14 00:39:31 +12:00
|
|
|
$deletes->setProject($project);
|
|
|
|
|
$database->setProject($project);
|
|
|
|
|
}, ['utopia', 'request', 'response', 'project', 'user', 'events', 'audits', 'mails', 'usage', 'deletes', 'database', 'dbForProject', 'mode'], 'api');
|
2021-01-06 01:22:20 +13:00
|
|
|
|
2022-05-26 23:51:08 +12:00
|
|
|
App::init(function (App $utopia, Request $request, Document $project) {
|
2021-03-01 07:36:13 +13:00
|
|
|
|
|
|
|
|
$route = $utopia->match($request);
|
|
|
|
|
|
2021-12-11 06:52:33 +13:00
|
|
|
$isPrivilegedUser = Auth::isPrivilegedUser(Authorization::getRoles());
|
|
|
|
|
$isAppUser = Auth::isAppUser(Authorization::getRoles());
|
2021-03-01 07:36:13 +13:00
|
|
|
|
2022-05-24 02:54:50 +12:00
|
|
|
if ($isAppUser || $isPrivilegedUser) { // Skip limits for app and console devs
|
2021-03-01 07:36:13 +13:00
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
|
2021-08-06 19:42:31 +12:00
|
|
|
$auths = $project->getAttribute('auths', []);
|
2021-03-01 07:36:13 +13:00
|
|
|
switch ($route->getLabel('auth.type', '')) {
|
|
|
|
|
case 'emailPassword':
|
2022-05-24 02:54:50 +12:00
|
|
|
if (($auths['emailPassword'] ?? true) === false) {
|
2022-02-07 01:49:01 +13:00
|
|
|
throw new Exception('Email / Password authentication is disabled for this project', 501, Exception::USER_AUTH_METHOD_UNSUPPORTED);
|
2021-03-01 07:36:13 +13:00
|
|
|
}
|
|
|
|
|
break;
|
|
|
|
|
|
2021-08-31 22:29:54 +12:00
|
|
|
case 'magic-url':
|
2022-05-24 02:54:50 +12:00
|
|
|
if ($project->getAttribute('usersAuthMagicURL', true) === false) {
|
2022-02-07 01:49:01 +13:00
|
|
|
throw new Exception('Magic URL authentication is disabled for this project', 501, Exception::USER_AUTH_METHOD_UNSUPPORTED);
|
2021-08-31 22:29:54 +12:00
|
|
|
}
|
|
|
|
|
break;
|
|
|
|
|
|
2021-03-01 07:36:13 +13:00
|
|
|
case 'anonymous':
|
2022-05-24 02:54:50 +12:00
|
|
|
if (($auths['anonymous'] ?? true) === false) {
|
2022-02-07 01:49:01 +13:00
|
|
|
throw new Exception('Anonymous authentication is disabled for this project', 501, Exception::USER_AUTH_METHOD_UNSUPPORTED);
|
2021-03-01 07:36:13 +13:00
|
|
|
}
|
|
|
|
|
break;
|
|
|
|
|
|
|
|
|
|
case 'invites':
|
2022-05-24 02:54:50 +12:00
|
|
|
if (($auths['invites'] ?? true) === false) {
|
2022-02-07 01:49:01 +13:00
|
|
|
throw new Exception('Invites authentication is disabled for this project', 501, Exception::USER_AUTH_METHOD_UNSUPPORTED);
|
2021-03-01 07:36:13 +13:00
|
|
|
}
|
|
|
|
|
break;
|
|
|
|
|
|
|
|
|
|
case 'jwt':
|
2022-05-24 02:54:50 +12:00
|
|
|
if (($auths['JWT'] ?? true) === false) {
|
2022-02-07 01:49:01 +13:00
|
|
|
throw new Exception('JWT authentication is disabled for this project', 501, Exception::USER_AUTH_METHOD_UNSUPPORTED);
|
2021-03-01 07:36:13 +13:00
|
|
|
}
|
|
|
|
|
break;
|
2021-12-07 01:03:12 +13:00
|
|
|
|
2021-03-01 07:36:13 +13:00
|
|
|
default:
|
2022-02-07 10:01:23 +13:00
|
|
|
throw new Exception('Unsupported authentication route', 501, Exception::USER_AUTH_METHOD_UNSUPPORTED);
|
2021-03-01 07:36:13 +13:00
|
|
|
break;
|
|
|
|
|
}
|
2021-08-06 22:48:50 +12:00
|
|
|
}, ['utopia', 'request', 'project'], 'auth');
|
2021-03-01 07:36:13 +13:00
|
|
|
|
2022-06-22 22:51:49 +12:00
|
|
|
App::shutdown(function (App $utopia, Request $request, Response $response, Document $project, Event $events, Audit $audits, Stats $usage, Delete $deletes, EventDatabase $database, string $mode, Database $dbForProject) {
|
2021-01-06 01:22:20 +13:00
|
|
|
|
2022-04-04 18:30:07 +12:00
|
|
|
if (!empty($events->getEvent())) {
|
2022-04-19 04:21:45 +12:00
|
|
|
if (empty($events->getPayload())) {
|
|
|
|
|
$events->setPayload($response->getPayload());
|
|
|
|
|
}
|
2022-04-14 00:39:31 +12:00
|
|
|
/**
|
|
|
|
|
* Trigger functions.
|
|
|
|
|
*/
|
|
|
|
|
$events
|
|
|
|
|
->setClass(Event::FUNCTIONS_CLASS_NAME)
|
|
|
|
|
->setQueue(Event::FUNCTIONS_QUEUE_NAME)
|
|
|
|
|
->trigger();
|
2021-01-06 01:22:20 +13:00
|
|
|
|
2022-04-14 00:39:31 +12:00
|
|
|
/**
|
|
|
|
|
* Trigger webhooks.
|
|
|
|
|
*/
|
|
|
|
|
$events
|
|
|
|
|
->setClass(Event::WEBHOOK_CLASS_NAME)
|
|
|
|
|
->setQueue(Event::WEBHOOK_QUEUE_NAME)
|
2021-01-06 01:22:20 +13:00
|
|
|
->trigger();
|
2021-03-12 05:28:03 +13:00
|
|
|
|
2022-04-14 00:39:31 +12:00
|
|
|
/**
|
|
|
|
|
* Trigger realtime.
|
|
|
|
|
*/
|
2021-03-12 05:28:03 +13:00
|
|
|
if ($project->getId() !== 'console') {
|
2022-04-14 00:39:31 +12:00
|
|
|
$allEvents = Event::generateEvents($events->getEvent(), $events->getParams());
|
2022-04-19 04:21:45 +12:00
|
|
|
$payload = new Document($events->getPayload());
|
2022-04-14 00:39:31 +12:00
|
|
|
|
2022-06-22 22:51:49 +12:00
|
|
|
$db = $events->getContext('database');
|
|
|
|
|
$collection = $events->getContext('collection');
|
|
|
|
|
$bucket = $events->getContext('bucket');
|
2021-12-17 07:12:06 +13:00
|
|
|
|
|
|
|
|
$target = Realtime::fromPayload(
|
2022-05-10 00:36:29 +12:00
|
|
|
// Pass first, most verbose event pattern
|
2022-04-14 00:39:31 +12:00
|
|
|
event: $allEvents[0],
|
|
|
|
|
payload: $payload,
|
|
|
|
|
project: $project,
|
2022-06-22 22:51:49 +12:00
|
|
|
database: $db,
|
2022-02-16 14:30:27 +13:00
|
|
|
collection: $collection,
|
|
|
|
|
bucket: $bucket,
|
2021-12-17 07:12:06 +13:00
|
|
|
);
|
2021-06-30 23:36:58 +12:00
|
|
|
|
|
|
|
|
Realtime::send(
|
2022-04-19 04:21:45 +12:00
|
|
|
projectId: $target['projectId'] ?? $project->getId(),
|
|
|
|
|
payload: $events->getPayload(),
|
|
|
|
|
events: $allEvents,
|
|
|
|
|
channels: $target['channels'],
|
|
|
|
|
roles: $target['roles'],
|
|
|
|
|
options: [
|
2022-05-24 02:54:50 +12:00
|
|
|
'permissionsChanged' => $target['permissionsChanged'],
|
2021-06-30 23:36:58 +12:00
|
|
|
'userId' => $events->getParam('userId')
|
|
|
|
|
]
|
|
|
|
|
);
|
2021-03-12 05:28:03 +13:00
|
|
|
}
|
2021-01-06 01:22:20 +13:00
|
|
|
}
|
2021-10-08 04:35:17 +13:00
|
|
|
|
2022-04-14 00:39:31 +12:00
|
|
|
if (!empty($audits->getResource())) {
|
|
|
|
|
foreach ($events->getParams() as $key => $value) {
|
|
|
|
|
$audits->setParam($key, $value);
|
|
|
|
|
}
|
2021-01-06 01:22:20 +13:00
|
|
|
$audits->trigger();
|
|
|
|
|
}
|
2021-10-08 04:35:17 +13:00
|
|
|
|
2022-04-18 08:34:32 +12:00
|
|
|
if (!empty($deletes->getType())) {
|
2021-01-06 01:22:20 +13:00
|
|
|
$deletes->trigger();
|
|
|
|
|
}
|
2021-06-19 04:13:37 +12:00
|
|
|
|
2022-04-14 00:39:31 +12:00
|
|
|
if (!empty($database->getType())) {
|
2021-06-19 04:13:37 +12:00
|
|
|
$database->trigger();
|
|
|
|
|
}
|
2021-10-08 04:35:17 +13:00
|
|
|
|
2021-01-06 01:22:20 +13:00
|
|
|
$route = $utopia->match($request);
|
2022-05-24 02:54:50 +12:00
|
|
|
if (
|
|
|
|
|
App::getEnv('_APP_USAGE_STATS', 'enabled') == 'enabled'
|
2021-01-14 19:05:55 +13:00
|
|
|
&& $project->getId()
|
2021-07-28 02:16:12 +12:00
|
|
|
&& $mode !== APP_MODE_ADMIN // TODO: add check to make sure user is admin
|
2022-05-24 02:54:50 +12:00
|
|
|
&& !empty($route->getLabel('sdk.namespace', null))
|
|
|
|
|
) { // Don't calculate console usage on admin mode
|
2022-04-18 08:34:32 +12:00
|
|
|
$usage
|
|
|
|
|
->setParam('networkRequestSize', $request->getSize() + $usage->getParam('storage'))
|
|
|
|
|
->setParam('networkResponseSize', $response->getSize())
|
|
|
|
|
->submit();
|
2021-01-06 01:22:20 +13:00
|
|
|
}
|
2022-05-24 02:54:50 +12:00
|
|
|
}, ['utopia', 'request', 'response', 'project', 'events', 'audits', 'usage', 'deletes', 'database', 'mode', 'dbForProject'], 'api');
|
