Throw 451 exception
This commit is contained in:
parent
4cd5999bb3
commit
f4426d553c
2
.env
2
.env
|
@ -99,4 +99,4 @@ _APP_ASSISTANT_OPENAI_API_KEY=
|
|||
_APP_MESSAGE_SMS_TEST_DSN=
|
||||
_APP_MESSAGE_EMAIL_TEST_DSN=
|
||||
_APP_MESSAGE_PUSH_TEST_DSN=
|
||||
_APP_RESTRICTED_COUNTRIES=AQ
|
||||
_APP_COUNTRIES_DENYLIST=AQ
|
|
@ -114,6 +114,11 @@ return [
|
|||
'description' => 'Value must be a valid phone number. Format this number with a leading \'+\' and a country code, e.g., +16175551212.',
|
||||
'code' => 400,
|
||||
],
|
||||
Exception::GENERAL_REGION_ACCESS_DENIED => [
|
||||
'name' => Exception::GENERAL_REGION_ACCESS_DENIED,
|
||||
'description' => 'Sorry, access from the current region is denied.',
|
||||
'code' => 451,
|
||||
],
|
||||
|
||||
/** User Errors */
|
||||
Exception::USER_COUNT_EXCEEDED => [
|
||||
|
|
|
@ -156,7 +156,7 @@ function createUser(string $hash, mixed $hashOptions, string $userId, ?string $e
|
|||
|
||||
App::post('/v1/users')
|
||||
->desc('Create user')
|
||||
->groups(['api', 'users', 'restrict'])
|
||||
->groups(['api', 'users'])
|
||||
->label('event', 'users.[userId].create')
|
||||
->label('scope', 'users.write')
|
||||
->label('audits.event', 'user.create')
|
||||
|
@ -188,7 +188,7 @@ App::post('/v1/users')
|
|||
|
||||
App::post('/v1/users/bcrypt')
|
||||
->desc('Create user with bcrypt password')
|
||||
->groups(['api', 'users', 'restrict'])
|
||||
->groups(['api', 'users'])
|
||||
->label('event', 'users.[userId].create')
|
||||
->label('scope', 'users.write')
|
||||
->label('audits.event', 'user.create')
|
||||
|
@ -219,7 +219,7 @@ App::post('/v1/users/bcrypt')
|
|||
|
||||
App::post('/v1/users/md5')
|
||||
->desc('Create user with MD5 password')
|
||||
->groups(['api', 'users', 'restrict'])
|
||||
->groups(['api', 'users'])
|
||||
->label('event', 'users.[userId].create')
|
||||
->label('scope', 'users.write')
|
||||
->label('audits.event', 'user.create')
|
||||
|
@ -250,7 +250,7 @@ App::post('/v1/users/md5')
|
|||
|
||||
App::post('/v1/users/argon2')
|
||||
->desc('Create user with Argon2 password')
|
||||
->groups(['api', 'users', 'restrict'])
|
||||
->groups(['api', 'users'])
|
||||
->label('event', 'users.[userId].create')
|
||||
->label('scope', 'users.write')
|
||||
->label('audits.event', 'user.create')
|
||||
|
@ -281,7 +281,7 @@ App::post('/v1/users/argon2')
|
|||
|
||||
App::post('/v1/users/sha')
|
||||
->desc('Create user with SHA password')
|
||||
->groups(['api', 'users', 'restrict'])
|
||||
->groups(['api', 'users'])
|
||||
->label('event', 'users.[userId].create')
|
||||
->label('scope', 'users.write')
|
||||
->label('audits.event', 'user.create')
|
||||
|
@ -319,7 +319,7 @@ App::post('/v1/users/sha')
|
|||
|
||||
App::post('/v1/users/phpass')
|
||||
->desc('Create user with PHPass password')
|
||||
->groups(['api', 'users', 'restrict'])
|
||||
->groups(['api', 'users'])
|
||||
->label('event', 'users.[userId].create')
|
||||
->label('scope', 'users.write')
|
||||
->label('audits.event', 'user.create')
|
||||
|
@ -350,7 +350,7 @@ App::post('/v1/users/phpass')
|
|||
|
||||
App::post('/v1/users/scrypt')
|
||||
->desc('Create user with Scrypt password')
|
||||
->groups(['api', 'users', 'restrict'])
|
||||
->groups(['api', 'users'])
|
||||
->label('event', 'users.[userId].create')
|
||||
->label('scope', 'users.write')
|
||||
->label('audits.event', 'user.create')
|
||||
|
@ -394,7 +394,7 @@ App::post('/v1/users/scrypt')
|
|||
|
||||
App::post('/v1/users/scrypt-modified')
|
||||
->desc('Create user with Scrypt modified password')
|
||||
->groups(['api', 'users', 'restrict'])
|
||||
->groups(['api', 'users'])
|
||||
->label('event', 'users.[userId].create')
|
||||
->label('scope', 'users.write')
|
||||
->label('audits.event', 'user.create')
|
||||
|
@ -428,7 +428,7 @@ App::post('/v1/users/scrypt-modified')
|
|||
|
||||
App::post('/v1/users/:userId/targets')
|
||||
->desc('Create User Target')
|
||||
->groups(['api', 'users', 'restrict'])
|
||||
->groups(['api', 'users'])
|
||||
->label('audits.event', 'target.create')
|
||||
->label('audits.resource', 'target/response.$id')
|
||||
->label('event', 'users.[userId].targets.[targetId].create')
|
||||
|
|
|
@ -634,13 +634,14 @@ App::init()
|
|||
->inject('request')
|
||||
->inject('geodb')
|
||||
->action(function (Request $request, Reader $geodb) {
|
||||
if (!empty(app::getEnv('_APP_RESTRICTED_COUNTRIES', ''))) {
|
||||
$countries = explode(',', App::getEnv('_APP_RESTRICTED_COUNTRIES', ''));
|
||||
$denylist = App::getEnv('_APP_COUNTRIES_DENYLIST', '');
|
||||
if (!empty($denylist)) {
|
||||
$countries = explode(',', $denylist);
|
||||
$record = $geodb->get($request->getIP());
|
||||
$country = $record['country']['iso_code'];
|
||||
$countryName = $record['country']['names']['en'];
|
||||
if (in_array($country, $countries)) {
|
||||
throw new Exception(Exception::GENERAL_ACCESS_FORBIDDEN, "Sorry, access from $countryName is restricted");
|
||||
throw new Exception(Exception::GENERAL_REGION_ACCESS_DENIED);
|
||||
}
|
||||
}
|
||||
});
|
||||
|
|
|
@ -188,7 +188,7 @@ services:
|
|||
- _APP_MESSAGE_SMS_TEST_DSN
|
||||
- _APP_MESSAGE_EMAIL_TEST_DSN
|
||||
- _APP_MESSAGE_PUSH_TEST_DSN
|
||||
- _APP_RESTRICTED_COUNTRIES
|
||||
- _APP_COUNTRIES_DENYLIST
|
||||
|
||||
appwrite-realtime:
|
||||
entrypoint: realtime
|
||||
|
|
|
@ -57,6 +57,7 @@ class Exception extends \Exception
|
|||
public const GENERAL_NOT_IMPLEMENTED = 'general_not_implemented';
|
||||
public const GENERAL_INVALID_EMAIL = 'general_invalid_email';
|
||||
public const GENERAL_INVALID_PHONE = 'general_invalid_phone';
|
||||
public const GENERAL_REGION_ACCESS_DENIED = 'general_region_access_denied';
|
||||
|
||||
/** Users */
|
||||
public const USER_COUNT_EXCEEDED = 'user_count_exceeded';
|
||||
|
|
|
@ -43,11 +43,12 @@ trait AccountBase
|
|||
/**
|
||||
* Test for FAILURE
|
||||
*/
|
||||
// Deny request from blocked IP
|
||||
$response = $this->client->call(Client::METHOD_POST, '/account', array_merge([
|
||||
'origin' => 'http://localhost',
|
||||
'content-type' => 'application/json',
|
||||
'x-appwrite-project' => $this->getProject()['$id'],
|
||||
'x-forwarded-for' => '103.152.127.250'
|
||||
'x-forwarded-for' => '103.152.127.250' // Test IP for denied access region
|
||||
]), [
|
||||
'userId' => ID::unique(),
|
||||
'email' => $email,
|
||||
|
@ -55,7 +56,7 @@ trait AccountBase
|
|||
'name' => $name,
|
||||
]);
|
||||
|
||||
$this->assertEquals(401, $response['headers']['status-code']);
|
||||
$this->assertEquals(451, $response['headers']['status-code']);
|
||||
|
||||
$response = $this->client->call(Client::METHOD_POST, '/account', array_merge([
|
||||
'origin' => 'http://localhost',
|
||||
|
|
Loading…
Reference in a new issue