Attacco SPAM

src/server/models/user.js

@@ -2174,6 +2174,19 @@ UserSchema.statics.convSubAccount = async function (idapp) {
   return { num };
 };
 
+
+UserSchema.statics.getLastRec = async function (idapp) {
+  const User = this;
+
+  lastrec = await User.find({ idapp }).sort({ date_reg: -1 }).limit(1);
+  if (!!lastrec) {
+    return lastrec[0];
+  } else {
+    return null;
+  }
+};
+
+
 UserSchema.statics.DbOp = async function (idapp, mydata) {
   const User = this;
   try {

src/server/router/users_router.js

@@ -58,18 +58,50 @@ router.post('/', async (req, res) => {
   body.email = body.email.toLowerCase();
 
   const user = new User(body);
+  user.ipaddr = tools.getiPAddressUser(req);
 
   // tools.mylog("LANG PASSATO = " + user.lang, "IDAPP", user.idapp);
 
+  if (!tools.isAlphaNumeric(body.username)) {
+    await tools.snooze(5000);
+    res.status(400).send({ code: server_constants.RIS_CODE_USERNAME_NOT_VALID, msg: '' });
+    return 1;
+  }
+
+  if (tools.blockwords(body.username)) {
+    tools.writeIPToBan(user.ipaddr + ': [' + user.username + '] ' + user.name + ' ' + user.surname);
+    await tools.snooze(100000);
+    res.status(400).send({ code: server_constants.RIS_CODE_USERNAME_NOT_VALID, msg: '' });
+    return 1;
+  }
+
+
   user.linkreg = reg.getlinkregByEmail(body.idapp, body.email, body.username);
   user.verified_email = false;
-  user.ipaddr = tools.getiPAddressUser(req);
   user.lasttimeonline = new Date();
   user.date_reg = new Date();
   user.aportador_iniziale = user.aportador_solidario;
-  if (user.idapp === tools.AYNI) {
+  /* if (user.idapp === tools.AYNI) {
     user.profile.paymenttypes = ['paypal'];
+  } */
+
+  // Controlla se anche l'ultimo record era dallo stesso IP:
+  const lastrec = await User.getLastRec(body.idapp);
+  if (!!lastrec) {
+    if (lastrec.ipaddr === user.ipaddr) {
+      // Se l'ha fatto troppo ravvicinato
+      if (lastrec.date_reg) {
+        let ris = tools.isdiffSecDateLess(lastrec.date_reg, 120);
+        if (ris) {
+          tools.writeIPToBan(user.ipaddr + ': [' + user.username + '] ' + user.name + ' ' + user.surname);
+          await tools.snooze(10000);
+          res.status(400).send({ code: server_constants.RIS_CODE_BANIP, msg: '' });
+          return 1;
+        }
+      }
+    }
   }
+
   // user.perm = 3;
   if (tools.testing()) {
     user.verified_email = true;

src/server/telegram/telegrambot.js

@@ -530,7 +530,7 @@ module.exports = {
 
   getMsgByTipoMsg: async function (mydata, lang, user, sonosognatore) {
     if (!!mydata.msgextra) {
-      return { body: mydata.msgextra, title: ''} ;
+      return { body: mydata.msgextra, title: '' };
     }
 
     let title = '';
@@ -696,7 +696,10 @@ module.exports = {
 
                 if (mydata.inviaemail && !!user.email) {
                   // user.email = 'paolo.arena77@gmail.com';
-                  await sendemail.sendEmail_ByText(user.lang, user.email, user, idapp, {emailbody: mymsg, emailtitle: mytitle});
+                  await sendemail.sendEmail_ByText(user.lang, user.email, user, idapp, {
+                    emailbody: mymsg,
+                    emailtitle: mytitle
+                  });
                   strout += ' -> (EMAIL OK)';
                 }
 
@@ -720,7 +723,7 @@ module.exports = {
           let msg = '';
           if (!!flotta) {
             if (!!mydata.tipomsg) {
-              msg = 'Flotta ' + strflotta + '): ' + tools.getStrMsgByTipoMsg(mydata.tipomsg) + '\n' + mymsg ;
+              msg = 'Flotta ' + strflotta + '): ' + tools.getStrMsgByTipoMsg(mydata.tipomsg) + '\n' + mymsg;
             } else {
               msg = 'Inviato messaggio a tutta la FLOTTA DA ' + flotta.riga + '.' + flotta.col_prima + ' A ' + flotta.riga + '.' + flotta.col_ultima + ' \n' + mymsg;
             }
@@ -1356,14 +1359,15 @@ class Telegram {
     if (user) {
       let ispaypal = false;
       if (!!user.profile.paymenttypes) {
-        if (user.profile.paymenttypes.includes('paypal')) {
+        /*if (user.profile.paymenttypes.includes('paypal')) {
           if (user.profile.email_paypal) {
             ispaypal = true
           }
-        }
+        }*/
+
         if (!!user.profile)
           if (!!user.profile.paymenttypes) {
-            return (user.profile.paymenttypes.length >= 1) && ispaypal;
+            return (user.profile.paymenttypes.length >= 1);
           }
 
       }
@@ -2015,8 +2019,14 @@ class Telegram {
                   // chiedisino = true;
                   // rec.msgall_status = StatusMSGALL.CONFIRM;
                   FormDaMostrare = this.getInlineKeyboard(lang, [
-                    { text: Menu[lang].SI, callback_data: { action: InlineCmd.VOGLIO_IMBARCARMI, username: utente.username } },
+                    {
-                    { text: Menu[lang].NO, callback_data: { action: InlineCmd.NON_VOGLIO_IMBARCARMI, username: utente.username } },
+                      text: Menu[lang].SI,
+                      callback_data: { action: InlineCmd.VOGLIO_IMBARCARMI, username: utente.username }
+                    },
+                    {
+                      text: Menu[lang].NO,
+                      callback_data: { action: InlineCmd.NON_VOGLIO_IMBARCARMI, username: utente.username }
+                    },
                   ]);
                   inviaveramente = true;
                 } else {

src/server/tools/general.js

@@ -26,6 +26,7 @@ const FILELOG = 'filelog.txt';
 const FILEEVENTS = 'logevents.txt';
 const FILEMANAGERS = 'logmanagers.txt';
 const FILESOSTITUZIONI = 'log_sostituzioni.txt';
+const FILEIP_TO_BAN = 'log_iptoban.txt';
 const FILENAVE = 'logNave.txt';
 const subject = process.env.URLBASE_APP1;
 const publicVapidKey = process.env.PUBLIC_VAPI_KEY;
@@ -1164,6 +1165,14 @@ module.exports = {
     return mydate
   },
 
+  isdiffSecDateLess(mydatediffstr, secs) {
+    let mydate = new Date();
+    // console.log('mydate', mydate);
+    let mydata2 = new Date(mydatediffstr);
+    let ris = ((mydate.getTime() - mydata2.getTime()) / 1000);
+    return (ris < secs);
+  },
+
   AddDate(mydate, days) {
     let date = new Date(mydate);
     date.setTime(date.getTime() + days * 86400000);
@@ -1483,6 +1492,10 @@ module.exports = {
     this.writelogfile(mystr, FILESOSTITUZIONI);
   },
 
+  writeIPToBan(mystr) {
+    this.writelogfile(mystr, FILEIP_TO_BAN);
+  },
+
   writeFlottaLog(idapp, mystr, riga, col) {
     this.mkdirpath(idapp + '/');
     this.writelogfile(mystr, idapp + '/' + riga + '_' + col + '.txt');
@@ -1724,7 +1737,27 @@ module.exports = {
       return '🇬🇧';
     else if (lang === 'fr')
       return '🇫🇷';
+  },
+
+  blockwords(mystr) {
+    if (mystr.includes('ttp')) {
+      return true;
+    }
+
+    return false;
+  },
+
+  isAlphaNumeric(str) {
+    let code, i, len;
+
+    for (i = 0, len = str.length; i < len; i++) {
+      code = str.charCodeAt(i);
+      if (!(code > 47 && code < 58) && // numeric (0-9)
+        !(code > 64 && code < 91) && // upper alpha (A-Z)
+        !(code > 96 && code < 123)) { // lower alpha (a-z)
+        return false;
+      }
+    }
+    return true;
   }
-
-
 };

src/server/tools/server_constants.js

@@ -9,6 +9,8 @@ module.exports = Object.freeze({
   RIS_CODE_USER_NOT_THIS_APORTADOR: -75,
   RIS_CODE_USER_EXTRALIST_NOTFOUND: -70,
   RIS_CODE_USERNAME_ALREADY_EXIST: -60,
+  RIS_CODE_USERNAME_NOT_VALID: -65,
+  RIS_CODE_BANIP: -63,
   RIS_CODE_EMAIL_ALREADY_EXIST: -50,
   RIS_CODE_USER_ALREADY_EXIST: -48,
   RIS_CODE_EMAIL_NOT_EXIST: -45,