Fix #1660 #1826 limit SMS auth attempts from same IP

modules/member/lang/en.php

@@ -63,6 +63,7 @@ $lang->limit_day = 'Temporary Limit Date';
 $lang->limit_day_description = 'Description for Temporary Limit Date';
 $lang->limit_date = 'Limit Date';
 $lang->cmd_special_phone_number = 'Verification code exception';
+$lang->cmd_max_auth_sms_count = 'Verification rate limit';
 $lang->after_login_url = 'URL to redirect after Sign in';
 $lang->after_logout_url = 'URL to redirect after Sign out';
 $lang->redirect_url = 'URL to redirect after Sign up';
@@ -146,6 +147,7 @@ $lang->cmd_send_email = 'Send Mail';
 $lang->cmd_allow_duplicate_nickname = 'Allow Duplicate Nicknames';
 $lang->about_allow_duplicate_nickname = 'Allow more than one member to use the same nickname.';
 $lang->msg_special_code_incorrect_format = 'The verification code must be a 6-digit number.';
+$lang->msg_auth_sms_rate_limited = 'Too many verification attempts. Please try again later.';
 $lang->msg_email_not_exists = 'You have entered an invalid email address.';
 $lang->msg_alreay_scrapped = 'This article is already scrapped.';
 $lang->msg_folder_alreay_exists = 'A folder with the same name already exists.';
@@ -241,6 +243,7 @@ $lang->about_enable_ssl = 'Personal information from Sign up/Modify Member Info/
 $lang->about_limit_day = 'You can limit activation date after sign up';
 $lang->about_limit_date = 'Users cannot sign in until the specified date';
 $lang->about_special_phone_number = 'You can set up a special phone number that can be verified with a preconfigured code instead of sending an actual SMS.<br>The special phone number will also be allowed to sign up more than once even if this is normally disallowed.<br>This can be useful for development, testing, and app store review process.';
+$lang->about_max_auth_sms_count = 'You can limit the number of time someone can try to verify the same phone number from the same IP address.';
 $lang->about_after_login_url = 'You can set a URL after login. Blank means the current page.';
 $lang->about_after_logout_url = 'You can set a URL after logout. Blank means the current page.';
 $lang->about_redirect_url = 'Please select a page where users will go after sign up. When this is empty, it will be set as the previous page of the sign up page.';

modules/member/lang/ko.php

@@ -63,6 +63,7 @@ $lang->limit_day = '임시 제한 일자';
 $lang->limit_day_description = '임시 제한 일자 설명';
 $lang->limit_date = '제한일';
 $lang->cmd_special_phone_number = '문자 인증 예외 전화번호';
+$lang->cmd_max_auth_sms_count = '문자 인증 횟수 제한';
 $lang->after_login_url = '로그인 후 이동할 주소(URL)';
 $lang->after_logout_url = '로그아웃 후 이동할 주소(URL)';
 $lang->redirect_url = '회원 가입 후 이동할 페이지';
@@ -149,6 +150,7 @@ $lang->cmd_member_profile_view = '회원 프로필사진 보이기';
 $lang->cmd_allow_duplicate_nickname = '닉네임 중복 허용';
 $lang->about_allow_duplicate_nickname = '여러 회원이 동일한 닉네임을 사용하는 것을 허용합니다. 주의: 잘못 사용할 경우 혼란이 발생할 수 있습니다.';
 $lang->msg_special_code_incorrect_format = '문자 인증 예외 코드는 6자리 숫자여야 합니다.';
+$lang->msg_auth_sms_rate_limited = '인증 시도 횟수가 초과되었습니다. 나중에 다시 시도해 주세요.';
 $lang->msg_email_not_exists = '이메일 주소가 존재하지 않습니다.';
 $lang->msg_alreay_scrapped = '이미 스크랩된 게시물입니다.';
 $lang->msg_folder_alreay_exists = '이미 존재하는 폴더 이름입니다.';
@@ -248,6 +250,7 @@ $lang->about_enable_ssl = '서버에서 보안접속(SSL) 지원이 될 경우
 $lang->about_limit_day = '회원 가입 후 정해진 일자동안 인증 제한을 할 수 있습니다.';
 $lang->about_limit_date = '지정한 날짜까지 로그인을 할 수 없습니다.';
 $lang->about_special_phone_number = '문자를 실제 발송하지 않고 미리 설정한 코드를 입력하여 인증을 통과할 수 있는 전화번호를 설정합니다.<br>예외 전화번호는 중복 가입도 허용됩니다. 개발 및 테스트 과정, 앱스토어 등록 심사 등에 활용할 수 있습니다.';
+$lang->about_max_auth_sms_count = '동일한 IP에서 동일한 전화번호로 인증 시도하는 횟수를 제한합니다.';
 $lang->about_after_login_url = '로그인 후 이동할 URL을 정할 수 있습니다. 입력하지 않으면 로그인 전의 페이지로 돌아갑니다.';
 $lang->about_after_logout_url = '로그아웃 후 이동할 URL을 정할 수 있습니다. 입력하지 않으면 로그아웃 전의 페이지로 돌아갑니다.';
 $lang->about_redirect_url = '회원 가입 후 이동할 페이지를 선택해 주세요. 선택된 페이지가 없는 경우 이전 페이지로 돌아갑니다.';

modules/member/member.admin.controller.php

@@ -369,7 +369,7 @@ class memberAdminController extends member
 			'limit_day',
 			'limit_day_description',
 			'emailhost_check',
-			'special_phone_number', 'special_phone_code', 'redirect_url',
+			'special_phone_number', 'special_phone_code', 'max_auth_sms_count', 'max_auth_sms_count_time', 'redirect_url',
 			'phone_number_default_country', 'phone_number_hide_country', 'phone_number_allow_duplicate', 'phone_number_verify_by_sms',
 			'profile_image_max_width', 'profile_image_max_height', 'profile_image_max_filesize',
 			'image_name_max_width', 'image_name_max_height', 'image_name_max_filesize',
@@ -390,6 +390,8 @@ class memberAdminController extends member
 		{
 			return new BaseObject('-1', 'msg_special_code_incorrect_format');
 		}
+		$args->max_auth_sms_count = max(0, intval($args->max_auth_sms_count));
+		$args->max_auth_sms_count_time = max(0, intval($args->max_auth_sms_count_time));
 		if($args->redirect_url)
 		{
 			$oModuleModel = getModel('module');

modules/member/member.controller.php

@@ -3601,6 +3601,21 @@ class memberController extends member
 		
 		$is_special = ($config->special_phone_number && $config->special_phone_number === preg_replace('/[^0-9]/', '', $phone_number));
 		
+		// Check if SMS has already been sent
+		if (!$is_special)
+		{
+			$args = new stdClass;
+			$args->phone_number = $phone_number;
+			$args->phone_country = $phone_country;
+			$args->ipaddress = \RX_CLIENT_IP;
+			$args->regdate_since = date('YmdHis', time() - ($config->max_auth_sms_count_time ?: 600));
+			$output = executeQuery('member.chkAuthSms', $args);
+			if ($output->data->count >= ($config->max_auth_sms_count ?: 5))
+			{
+				return new BaseObject(-1, 'msg_auth_sms_rate_limited');
+			}
+		}
+		
 		// Check if phone number is duplicate
 		if (!$is_special && $config->phone_number_allow_duplicate !== 'Y')
 		{

modules/member/queries/chkAuthSms.xml

@@ -0,0 +1,14 @@
+<query id="chkAuthSms" action="select">
+    <tables>
+        <table name="member_auth_sms" />
+    </tables>
+    <columns>
+        <column name="count(*)" alias="count" />
+    </columns>
+    <conditions>
+        <condition operation="equal" column="phone_number" var="phone_number" notnull="notnull" />
+		<condition operation="equal" column="phone_country" var="phone_country" notnull="notnull" />
+		<condition operation="equal" column="ipaddress" var="ipaddress" />
+		<condition operation="more" column="regdate" var="regdate_since" />
+    </conditions>
+</query>

modules/member/tpl/signup_config.html

@@ -72,6 +72,14 @@
 			<p class="x_help-block">{$lang->about_special_phone_number}</p>
 		</div>
 	</div>
+	<div class="x_control-group">
+		<p class="x_control-label">{$lang->cmd_max_auth_sms_count}</p>
+		<div class="x_controls">
+			<input type="number" min="0" name="max_auth_sms_count" value="{$config->max_auth_sms_count ?: 5}" /> {$lang->unit_count} /
+			<input type="number" min="0" name="max_auth_sms_count_time" value="{$config->max_auth_sms_count_time ?: 600}" /> {$lang->unit_sec}
+			<p class="x_help-block">{$lang->about_max_auth_sms_count}</p>
+		</div>
+	</div>
 	<div class="x_control-group">
 		<label class="x_control-label" for="redirect_url">{$lang->redirect_url}</label>
 		<div class="x_controls">