Protect register endpoint from some bots

TiTi · TiTi · commit 35590cd269ff · 2026-01-13T01:02:50.000+01:00
They create users like:
hVTSSkcQDfprXpJkMFcR TyfUqQmWOWuIudYjn
alzAAHhzbxcUBAdiyupV MumHmKSyNTYYwCybOJ
JaLujCDdPfvXIYWXhioZqa KgnlfrgUOqNqVAbRiurUeb
diff --git a/back/app_flask.py b/back/app_flask.py
@@ -16,6 +16,7 @@
 import ics
 import markdown
 import datetime
+import requests
 
 # ------------------------------
 # Our helpers
@@ -353,6 +354,13 @@ def logout():
 def register():
   """Register an account"""
   if request.method == 'POST':
+
+    if settings.country_check != '':
+      # anti bots
+      r = requests.get(f"http://ip-api.com/json/{request.remote_addr}")
+      if r.status_code == 200 and r.json()['country'] != settings.country_check:
+        return "Blocked", 403
+
     httpcode, result, opts = createUser(request.form)
     if httpcode == 201:
       f = request.form
diff --git a/back/requirements.txt b/back/requirements.txt
@@ -9,4 +9,5 @@ mailjet_rest==1.3.4
 Markdown~=3.8.0
 ics==0.7.2
 gunicorn==23.0.0
-PyYAML==6.0.2
+PyYAML==6.0.2
+requests==2.32.5
diff --git a/back/settings.py b/back/settings.py
@@ -37,6 +37,7 @@
 backgrounds_folder = 'backgrounds'
 uploads_allowed_extensions = {'png', 'jpg', 'jpeg', 'gif'}
 international_prefix = '+33'
+country_check = 'France'
 temporary_user_duration = datetime.timedelta(days=60) # +web_remember_JWT_ACCESS_TOKEN_EXPIRES if user checked remember credentials
 domain = "https://calendrier.lyonparapente.fr"
 emails = {
diff --git a/last_release.md b/last_release.md
@@ -1 +1 @@
-* Fix problem in change_password when not logged in (regression in 78b0031623e19c5b0ae1899ea83ce4a5808a2343)
+* Protect register endpoint from some bots

Original file line number	Diff line number	Diff line change
`@@ -1 +1 @@`
`1`		`-* Fix problem in change_password when not logged in (regression in 78b0031623e19c5b0ae1899ea83ce4a5808a2343)`
	`1`	`+* Protect register endpoint from some bots`