Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Idea: add fool protection in "start" function to avoid accidental ban for flood #664

Open
Lopol2010 opened this issue Apr 16, 2024 · 2 comments
Open

Idea: add fool protection in "start" function to avoid accidental ban for flood #664

Lopol2010 opened this issue Apr 16, 2024 · 2 comments

Comments

@Lopol2010
Copy link

Steps to reproduce:

  1. By accident I made phoneCode callback to always return the same resolved promise.
  2. And did not return true from onError callback.
  3. Then I invalidated code by sending it to my bot's private chat, so that auth.SignIn throws PhoneCodeExpiredError.

In a couple of seconds this combination got my account banned for flood for 1 hour, due to hundreds of signIn attempts before I stopped the server manually.

Relevant while loop:

gramjs/gramjs/client/auth.ts

Lines 168 to 210 in 0471403

while (1) {
try {
try {
phoneCode = await authParams.phoneCode(isCodeViaApp);
} catch (err: any) {
// This is the support for changing phone number from the phone code screen.
if (err.errorMessage === "RESTART_AUTH") {
return client.signInUser(apiCredentials, authParams);
}
}
if (!phoneCode) {
throw new Error("Code is empty");
}
// May raise PhoneCodeEmptyError, PhoneCodeExpiredError,
// PhoneCodeHashEmptyError or PhoneCodeInvalidError.
const result = await client.invoke(
new Api.auth.SignIn({
phoneNumber,
phoneCodeHash,
phoneCode,
})
);
if (result instanceof Api.auth.AuthorizationSignUpRequired) {
isRegistrationRequired = true;
termsOfService = result.termsOfService;
break;
}
return result.user;
} catch (err: any) {
if (err.errorMessage === "SESSION_PASSWORD_NEEDED") {
return client.signInWithPassword(apiCredentials, authParams);
} else {
const shouldWeStop = await authParams.onError(err);
if (shouldWeStop) {
throw new Error("AUTH_USER_CANCEL");
}
}
}
}

@MJBlack9000
Copy link

Have you tried adding a delay in your own code on every retry? If you have a while() loop which has error-handling - it's a good idea to add a delay between retries. So at the end of your while loop, right after the last "catch" clause - just add something like this:
await new Promise(resolve => setTimeout(resolve, 5000));
Which would make it wait 5 seconds on every fail. Aka an equivalent of something like asynchio.sleep(5) in python

But overall - if you try to bombard any service with repeated login attempts - you will get limited by that service. I don't think it's anyhow an issue for GramJS devs to deal with. Because Gram.js, like nearly any framework, does exactly what you ask it to do. You'd get the same results with Discord or even normal bot frameworks like Telegraf.js - if you wrote your loop in such a way as to keep constantly trying to login.

@Lopol2010
Copy link
Author

@MJBlack9000, I forgot to mention that this problem occurs in client.start function, which has infinite loops internally, so I had no loops for auth in my app

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Lopol2010 @MJBlack9000