cf worker spamming problem

Q

qqqOP•9/30/23, 3:44 PM

this is my worker.js code

const webhook = "https://discord.com/api/webhooks/";

// Define rate limiting parameters
const rateLimitWindow = 60 * 1000; // 1 minute
const maxRequestsPerWindow = 5; // Maximum requests per minute

// Create an object to store request timestamps
const requestTimestamps = new Map();

export default {
  async fetch(request, env, ctx) {
    // Check if the request is from 'pain.lol'
    if (request.headers.get('Origin') === 'https://pain.lol') {
      if (request.method === 'OPTIONS') {
        // Handle preflight request (OPTIONS)
        return new Response(null, {
          status: 200,
          headers: {
            "Access-Control-Allow-Origin": "https://pain.lol",
            "Access-Control-Allow-Methods": "GET, POST, PUT, DELETE, OPTIONS",
            "Access-Control-Allow-Headers": "Content-Type",
          },
        });
      } else if (request.method === 'POST') {
        // Check rate limiting
        const clientIP = request.headers.get("CF-Connecting-IP");
        const clientKey = `${clientIP}-${request.method}-${request.url}`;
        const now = Date.now();
        const timestamps = requestTimestamps.get(clientKey) || [];

        // Remove timestamps older than the rateLimitWindow
        const recentTimestamps = timestamps.filter((timestamp) => now - timestamp <= rateLimitWindow);

        if (recentTimestamps.length >= maxRequestsPerWindow) {
          return new Response("Rate limit exceeded", {
            status: 429,
            headers: {
              "Access-Control-Allow-Origin": "https://pain.lol",
            },
          });
        }

        // Update the timestamps
        timestamps.push(now);
        requestTimestamps.set(clientKey, timestamps);

        // Handle the actual POST request here
        const res = await fetch(webhook, {
          method: "POST",
          body: request.body,
          headers: {
            "content-type": "application/json",
          },
        });

        return new Response(null, {
          status: res.status,
          headers: {
            "Access-Control-Allow-Origin": "https://pain.lol",
          },
        });
      }
    } else {
      return new Response("403", {
        status: 403,
        headers: {
          "Access-Control-Allow-Origin": "https://pain.lol",
        },
      });
    }
  },
};

const webhook = "https://discord.com/api/webhooks/";

// Define rate limiting parameters
const rateLimitWindow = 60 * 1000; // 1 minute
const maxRequestsPerWindow = 5; // Maximum requests per minute

// Create an object to store request timestamps
const requestTimestamps = new Map();

export default {
  async fetch(request, env, ctx) {
    // Check if the request is from 'pain.lol'
    if (request.headers.get('Origin') === 'https://pain.lol') {
      if (request.method === 'OPTIONS') {
        // Handle preflight request (OPTIONS)
        return new Response(null, {
          status: 200,
          headers: {
            "Access-Control-Allow-Origin": "https://pain.lol",
            "Access-Control-Allow-Methods": "GET, POST, PUT, DELETE, OPTIONS",
            "Access-Control-Allow-Headers": "Content-Type",
          },
        });
      } else if (request.method === 'POST') {
        // Check rate limiting
        const clientIP = request.headers.get("CF-Connecting-IP");
        const clientKey = `${clientIP}-${request.method}-${request.url}`;
        const now = Date.now();
        const timestamps = requestTimestamps.get(clientKey) || [];

        // Remove timestamps older than the rateLimitWindow
        const recentTimestamps = timestamps.filter((timestamp) => now - timestamp <= rateLimitWindow);

        if (recentTimestamps.length >= maxRequestsPerWindow) {
          return new Response("Rate limit exceeded", {
            status: 429,
            headers: {
              "Access-Control-Allow-Origin": "https://pain.lol",
            },
          });
        }

        // Update the timestamps
        timestamps.push(now);
        requestTimestamps.set(clientKey, timestamps);

        // Handle the actual POST request here
        const res = await fetch(webhook, {
          method: "POST",
          body: request.body,
          headers: {
            "content-type": "application/json",
          },
        });

        return new Response(null, {
          status: res.status,
          headers: {
            "Access-Control-Allow-Origin": "https://pain.lol",
          },
        });
      }
    } else {
      return new Response("403", {
        status: 403,
        headers: {
          "Access-Control-Allow-Origin": "https://pain.lol",
        },
      });
    }
  },
};

const webhook = "https://discord.com/api/webhooks/";

// Define rate limiting parameters
const rateLimitWindow = 60 * 1000; // 1 minute
const maxRequestsPerWindow = 5; // Maximum requests per minute

// Create an object to store request timestamps
const requestTimestamps = new Map();

export default {
  async fetch(request, env, ctx) {
    // Check if the request is from 'pain.lol'
    if (request.headers.get('Origin') === 'https://pain.lol') {
      if (request.method === 'OPTIONS') {
        // Handle preflight request (OPTIONS)
        return new Response(null, {
          status: 200,
          headers: {
            "Access-Control-Allow-Origin": "https://pain.lol",
            "Access-Control-Allow-Methods": "GET, POST, PUT, DELETE, OPTIONS",
            "Access-Control-Allow-Headers": "Content-Type",
          },
        });
      } else if (request.method === 'POST') {
        // Check rate limiting
        const clientIP = request.headers.get("CF-Connecting-IP");
        const clientKey = `${clientIP}-${request.method}-${request.url}`;
        const now = Date.now();
        const timestamps = requestTimestamps.get(clientKey) || [];

        // Remove timestamps older than the rateLimitWindow
        const recentTimestamps = timestamps.filter((timestamp) => now - timestamp <= rateLimitWindow);

        if (recentTimestamps.length >= maxRequestsPerWindow) {
          return new Response("Rate limit exceeded", {
            status: 429,
            headers: {
              "Access-Control-Allow-Origin": "https://pain.lol",
            },
          });
        }

        // Update the timestamps
        timestamps.push(now);
        requestTimestamps.set(clientKey, timestamps);

        // Handle the actual POST request here
        const res = await fetch(webhook, {
          method: "POST",
          body: request.body,
          headers: {
            "content-type": "application/json",
          },
        });

        return new Response(null, {
          status: res.status,
          headers: {
            "Access-Control-Allow-Origin": "https://pain.lol",
          },
        });
      }
    } else {
      return new Response("403", {
        status: 403,
        headers: {
          "Access-Control-Allow-Origin": "https://pain.lol",
        },
      });
    }
  },
};

const webhook = "https://discord.com/api/webhooks/";

// Define rate limiting parameters
const rateLimitWindow = 60 * 1000; // 1 minute
const maxRequestsPerWindow = 5; // Maximum requests per minute

// Create an object to store request timestamps
const requestTimestamps = new Map();

export default {
  async fetch(request, env, ctx) {
    // Check if the request is from 'pain.lol'
    if (request.headers.get('Origin') === 'https://pain.lol') {
      if (request.method === 'OPTIONS') {
        // Handle preflight request (OPTIONS)
        return new Response(null, {
          status: 200,
          headers: {
            "Access-Control-Allow-Origin": "https://pain.lol",
            "Access-Control-Allow-Methods": "GET, POST, PUT, DELETE, OPTIONS",
            "Access-Control-Allow-Headers": "Content-Type",
          },
        });
      } else if (request.method === 'POST') {
        // Check rate limiting
        const clientIP = request.headers.get("CF-Connecting-IP");
        const clientKey = `${clientIP}-${request.method}-${request.url}`;
        const now = Date.now();
        const timestamps = requestTimestamps.get(clientKey) || [];

        // Remove timestamps older than the rateLimitWindow
        const recentTimestamps = timestamps.filter((timestamp) => now - timestamp <= rateLimitWindow);

        if (recentTimestamps.length >= maxRequestsPerWindow) {
          return new Response("Rate limit exceeded", {
            status: 429,
            headers: {
              "Access-Control-Allow-Origin": "https://pain.lol",
            },
          });
        }

        // Update the timestamps
        timestamps.push(now);
        requestTimestamps.set(clientKey, timestamps);

        // Handle the actual POST request here
        const res = await fetch(webhook, {
          method: "POST",
          body: request.body,
          headers: {
            "content-type": "application/json",
          },
        });

        return new Response(null, {
          status: res.status,
          headers: {
            "Access-Control-Allow-Origin": "https://pain.lol",
          },
        });
      }
    } else {
      return new Response("403", {
        status: 403,
        headers: {
          "Access-Control-Allow-Origin": "https://pain.lol",
        },
      });
    }
  },
};

Q

qqqOP•9/30/23, 3:44 PM

Q

qqqOP•9/30/23, 3:44 PM

spam I got

C

Chaika•9/30/23, 4:31 PM

I wanna the worker only recive messages from my website

There's not really a magical perfect solution for this, fundamentally if a client can do it through a website, then it's possible to script it or automate it. You can make it harder though

without using a rate limiting

What do you mean without using rate limiting? I see you already have some rate limiting in place, but it's a bit flawed. Using globals like you are is restricted to that single worker instance, which only lives on a single server. Worker Instances aren't long lived, and whichever machine requests end up getting routed to, will just spin up another worker instance if there isn't one. There is free unmetered rate limiting, which you can use to set 1 per 10s for example, it's per colo/cloudflare location but at least it's colo-wide..

If you want to try to prevent spam, I would set up turnstile on your form, and force people to solve it first and verify it in your worker. Example: https://github.com/cloudflare/turnstile-demo-workers/tree/main. It's not impossible to get around, but it raises the difficulty

Q

qqqOP•9/30/23, 4:58 PM

If you want to try to prevent spam, I would set up turnstile on your form, and force people to solve it first and verify it in your worker. Example: https://github.com/cloudflare/turnstile-demo-workers/tree/main. It's not impossible to get around, but it raises the difficulty

I dont want people to solve anything but the website sends the message automatically without the visitor know about

CChaika > I wanna the worker only recive messages from my website There's not really a m...

Q

qqqOP•9/30/23, 5:01 PM

is there a way to make it not sending the

everyone

everyone

everyone

everyone

or

here

here

here

here

mentions or a specific word I select ?

Qqqq is there a way to make it not sending the ```everyone``` or ```here``` mentio...

C

Chaika•9/30/23, 5:05 PM

That is a Discord API Question. You can build an embed where no mentions would work/notify people, or the webhook api also supports the

allowed_mentions

allowed_mentions

allowed_mentions

allowed_mentions property where you can disallow all mentions. The reason why they can make those custom embeds is because you have no protection/security around what you pass to the webhook

CChaika That is a Discord API Question. You can build an embed where no mentions would w...

Q

qqqOP•9/30/23, 5:06 PM

i am using a webhook not API

Qqqq > If you want to try to prevent spam, I would set up turnstile on your form, and...

C

Chaika•9/30/23, 5:06 PM

I dont want people to solve anything but the website sends the message automatically without the visitor know about

Turnstile has an invisible mode where it would just silently fail if it thinks the user is a bot, or it has an interaction-only mode where it only forces them to click if it thinks they're a bot. Otherwise, you're kind of asking for a magical solution that doesn't really exist, if a user can do it, a bot/program can do it, all you can do is raise the difficulty

Qqqq i am using a webhook not API

C

Chaika•9/30/23, 5:07 PM

The webhook is an API, the docs for it are here: https://discord.com/developers/docs/resources/webhook

Q

qqqOP•10/1/23, 5:46 PM

Q

qqqOP•10/1/23, 5:46 PM

avoiding everyone and here mention

Similar Threads

Similar Threads

Similar Threads