From c07a3889e6470cf49cde91e6f0b6e78e6515bb14 Mon Sep 17 00:00:00 2001
From: Khushboo Verma <43381712+vermakhushboo@users.noreply.github.com>
Date: Wed, 24 Jan 2024 14:41:35 +0530
Subject: [PATCH] WIP: Add new group to api.php

---
 .env                            |  1 +
 app/controllers/api/account.php |  6 +++---
 app/controllers/shared/api.php  | 17 +++++++++++++++++
 docker-compose.yml              |  1 +
 4 files changed, 22 insertions(+), 3 deletions(-)

diff --git a/.env b/.env
index 9b549a6b69..877a8daac7 100644
--- a/.env
+++ b/.env
@@ -103,3 +103,4 @@ _APP_ASSISTANT_OPENAI_API_KEY=
 _APP_MESSAGE_SMS_TEST_DSN=
 _APP_MESSAGE_EMAIL_TEST_DSN=
 _APP_MESSAGE_PUSH_TEST_DSN=
+_APP_RESTRICTED_COUNTRIES=
\ No newline at end of file
diff --git a/app/controllers/api/account.php b/app/controllers/api/account.php
index 962399247e..b45d7ccfb1 100644
--- a/app/controllers/api/account.php
+++ b/app/controllers/api/account.php
@@ -54,7 +54,7 @@ $oauthDefaultFailure = '/auth/oauth2/failure';
 
 App::post('/v1/account')
     ->desc('Create account')
-    ->groups(['api', 'account', 'auth'])
+    ->groups(['api', 'account', 'auth', 'restrict'])
     ->label('event', 'users.[userId].create')
     ->label('scope', 'sessions.write')
     ->label('auth.type', 'emailPassword')
@@ -447,7 +447,7 @@ App::post('/v1/account/sessions/oauth2/callback/:provider/:projectId')
 
 App::get('/v1/account/sessions/oauth2/:provider/redirect')
     ->desc('OAuth2 redirect')
-    ->groups(['api', 'account', 'session'])
+    ->groups(['api', 'account', 'session', 'restrict'])
     ->label('error', __DIR__ . '/../../views/general/error.phtml')
     ->label('event', 'users.[userId].sessions.[sessionId].create')
     ->label('scope', 'public')
@@ -1565,7 +1565,7 @@ App::put('/v1/account/sessions/magic-url')
 App::post('/v1/account/sessions/token')
     ->desc('Create session')
     ->label('event', 'users.[userId].sessions.[sessionId].create')
-    ->groups(['api', 'account'])
+    ->groups(['api', 'account', 'restrict'])
     ->label('scope', 'sessions.write')
     ->label('audits.event', 'session.create')
     ->label('audits.resource', 'user/{response.userId}')
diff --git a/app/controllers/shared/api.php b/app/controllers/shared/api.php
index 18c126fb9a..75b5bcb0c5 100644
--- a/app/controllers/shared/api.php
+++ b/app/controllers/shared/api.php
@@ -22,6 +22,7 @@ use Utopia\Database\Database;
 use Utopia\Database\DateTime;
 use Utopia\Database\Document;
 use Utopia\Database\Validator\Authorization;
+use MaxMind\Db\Reader;
 
 $parseLabel = function (string $label, array $responsePayload, array $requestParams, Document $user) {
     preg_match_all('/{(.*?)}/', $label, $matches);
@@ -592,3 +593,19 @@ App::init()
             throw new Exception(Exception::GENERAL_USAGE_DISABLED);
         }
     });
+
+App::init()
+    ->groups(['restrict'])
+    ->inject('request')
+    ->inject('geodb')
+    ->action(function (Request $request, Reader $geodb) {
+        if (!empty(app::getEnv('_APP_RESTRICTED_COUNTRIES', ''))) {
+            $countries = explode(',', App::getEnv('_APP_RESTRICTED_COUNTRIES', ''));
+            // $record = $geodb->get($request->getIP());
+            $record = $geodb->get('167.220.238.180');
+            $country = $record['country']['iso_code'];
+            if (in_array($country, $countries)) {
+                throw new Exception(Exception::GENERAL_ACCESS_FORBIDDEN, "Access from $country is restricted");
+            }
+        }
+    });
diff --git a/docker-compose.yml b/docker-compose.yml
index 5077592a5b..70e3ecc44e 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -192,6 +192,7 @@ services:
       - _APP_MESSAGE_SMS_TEST_DSN
       - _APP_MESSAGE_EMAIL_TEST_DSN
       - _APP_MESSAGE_PUSH_TEST_DSN
+      - _APP_RESTRICTED_COUNTRIES
       
   appwrite-realtime:
     entrypoint: realtime