CD
Cloudflare Developers16mo ago
qqq

cf worker spamming problem

hello, I have a problem with cf worker I have made an receiver to receive messages from my website then forward this message to my webhook but sometimes I get a lot of spamming messages which sent through my worker link so is there any way to prevent that spam without using a rate limiting ? I wanna the worker only recive messages from my website
10 Replies
qqq
qqqOP16mo ago
this is my worker.js code 
const webhook = "https://discord.com/api/webhooks/";

// Define rate limiting parameters
const rateLimitWindow = 60 * 1000; // 1 minute
const maxRequestsPerWindow = 5; // Maximum requests per minute

// Create an object to store request timestamps
const requestTimestamps = new Map();

export default {
  async fetch(request, env, ctx) {
    // Check if the request is from 'pain.lol'
    if (request.headers.get('Origin') === 'https://pain.lol') {
      if (request.method === 'OPTIONS') {
        // Handle preflight request (OPTIONS)
        return new Response(null, {
          status: 200,
          headers: {
            "Access-Control-Allow-Origin": "https://pain.lol",
            "Access-Control-Allow-Methods": "GET, POST, PUT, DELETE, OPTIONS",
            "Access-Control-Allow-Headers": "Content-Type",
          },
        });
      } else if (request.method === 'POST') {
        // Check rate limiting
        const clientIP = request.headers.get("CF-Connecting-IP");
        const clientKey = `${clientIP}-${request.method}-${request.url}`;
        const now = Date.now();
        const timestamps = requestTimestamps.get(clientKey) || [];

        // Remove timestamps older than the rateLimitWindow
        const recentTimestamps = timestamps.filter((timestamp) => now - timestamp <= rateLimitWindow);

        if (recentTimestamps.length >= maxRequestsPerWindow) {
          return new Response("Rate limit exceeded", {
            status: 429,
            headers: {
              "Access-Control-Allow-Origin": "https://pain.lol",
            },
          });
        }

        // Update the timestamps
        timestamps.push(now);
        requestTimestamps.set(clientKey, timestamps);

        // Handle the actual POST request here
        const res = await fetch(webhook, {
          method: "POST",
          body: request.body,
          headers: {
            "content-type": "application/json",
          },
        });

        return new Response(null, {
          status: res.status,
          headers: {
            "Access-Control-Allow-Origin": "https://pain.lol",
          },
        });
      }
    } else {
      return new Response("403", {
        status: 403,
        headers: {
          "Access-Control-Allow-Origin": "https://pain.lol",
        },
      });
    }
  },
};
const webhook = "https://discord.com/api/webhooks/";

// Define rate limiting parameters
const rateLimitWindow = 60 * 1000; // 1 minute
const maxRequestsPerWindow = 5; // Maximum requests per minute

// Create an object to store request timestamps
const requestTimestamps = new Map();

export default {
  async fetch(request, env, ctx) {
    // Check if the request is from 'pain.lol'
    if (request.headers.get('Origin') === 'https://pain.lol') {
      if (request.method === 'OPTIONS') {
        // Handle preflight request (OPTIONS)
        return new Response(null, {
          status: 200,
          headers: {
            "Access-Control-Allow-Origin": "https://pain.lol",
            "Access-Control-Allow-Methods": "GET, POST, PUT, DELETE, OPTIONS",
            "Access-Control-Allow-Headers": "Content-Type",
          },
        });
      } else if (request.method === 'POST') {
        // Check rate limiting
        const clientIP = request.headers.get("CF-Connecting-IP");
        const clientKey = `${clientIP}-${request.method}-${request.url}`;
        const now = Date.now();
        const timestamps = requestTimestamps.get(clientKey) || [];

        // Remove timestamps older than the rateLimitWindow
        const recentTimestamps = timestamps.filter((timestamp) => now - timestamp <= rateLimitWindow);

        if (recentTimestamps.length >= maxRequestsPerWindow) {
          return new Response("Rate limit exceeded", {
            status: 429,
            headers: {
              "Access-Control-Allow-Origin": "https://pain.lol",
            },
          });
        }

        // Update the timestamps
        timestamps.push(now);
        requestTimestamps.set(clientKey, timestamps);

        // Handle the actual POST request here
        const res = await fetch(webhook, {
          method: "POST",
          body: request.body,
          headers: {
            "content-type": "application/json",
          },
        });

        return new Response(null, {
          status: res.status,
          headers: {
            "Access-Control-Allow-Origin": "https://pain.lol",
          },
        });
      }
    } else {
      return new Response("403", {
        status: 403,
        headers: {
          "Access-Control-Allow-Origin": "https://pain.lol",
        },
      });
    }
  },
};
qqq
qqqOP16mo ago
No description
qqq
qqqOP16mo ago
spam I got
Chaika
Chaika16mo ago
I wanna the worker only recive messages from my website
There's not really a magical perfect solution for this, fundamentally if a client can do it through a website, then it's possible to script it or automate it. You can make it harder though
without using a rate limiting
What do you mean without using rate limiting? I see you already have some rate limiting in place, but it's a bit flawed. Using globals like you are is restricted to that single worker instance, which only lives on a single server. Worker Instances aren't long lived, and whichever machine requests end up getting routed to, will just spin up another worker instance if there isn't one. There is free unmetered rate limiting, which you can use to set 1 per 10s for example, it's per colo/cloudflare location but at least it's colo-wide.. If you want to try to prevent spam, I would set up turnstile on your form, and force people to solve it first and verify it in your worker. Example: https://github.com/cloudflare/turnstile-demo-workers/tree/main. It's not impossible to get around, but it raises the difficulty
qqq
qqqOP16mo ago
If you want to try to prevent spam, I would set up turnstile on your form, and force people to solve it first and verify it in your worker. Example: https://github.com/cloudflare/turnstile-demo-workers/tree/main. It's not impossible to get around, but it raises the difficulty
I dont want people to solve anything but the website sends the message automatically without the visitor know about is there a way to make it not sending the 
or
or
here``` mentions or a specific word I select ?
Chaika
Chaika16mo ago
That is a Discord API Question. You can build an embed where no mentions would work/notify people, or the webhook api also supports the allowed_mentions property where you can disallow all mentions. The reason why they can make those custom embeds is because you have no protection/security around what you pass to the webhook
qqq
qqqOP16mo ago
i am using a webhook not API
Chaika
Chaika16mo ago
I dont want people to solve anything but the website sends the message automatically without the visitor know about
Turnstile has an invisible mode where it would just silently fail if it thinks the user is a bot, or it has an interaction-only mode where it only forces them to click if it thinks they're a bot. Otherwise, you're kind of asking for a magical solution that doesn't really exist, if a user can do it, a bot/program can do it, all you can do is raise the difficulty The webhook is an API, the docs for it are here: https://discord.com/developers/docs/resources/webhook
qqq
qqqOP16mo ago
No description
qqq
qqqOP16mo ago
avoiding everyone and here mention

Did you find this page helpful?