Add rate-limiting

I've updated the button with some rate-limiting.

This involved adding a couple columns (REAL last_click, INTEGER spamming) to the db table.
On click, delta from last_click is checked; if less than minimum time, spamming flag is set and team can't submit for 10s (variable). If spamming is set, but it's been longer than spam_ban_time, spamming is unset, and click is allowed.

Whether click succeeds or not, last_click is updated.

Author: meznak

schema.sql

@@ -6,7 +6,9 @@ CREATE TABLE teams(
     id INTEGER PRIMARY KEY NOT NULL,
     name TEXT(20) NOT NULL UNIQUE,
     score REAL(10, 2),
-    hash TEXT(100) NOT NULL
+    hash TEXT(100) NOT NULL,
+    last_click REAL,
+    spamming INTEGER
 );
 
 DROP TABLE IF EXISTS flags;
@@ -22,6 +24,6 @@ INSERT into flags (value) VALUES ('congrats flag3');
 INSERT into flags (value) VALUES ('congrats flag4');
 INSERT into flags (value) VALUES ('congrats flag5');
 
-INSERT into teams (name, score, hash) VALUES ('aaa', 0, '$2a$04$v6PKN3tpOyaiKV/3VZOjh.RRoDUDvITVLZuSwhzyRVbK82ANFMQOi');
-INSERT into teams (name, score, hash) VALUES ('bbb', 0, '$2a$12$ydNsdi763MvDytMGdiBNE.rqWeoJxx9pRYHKyIRZ3l/E.x6pLOLmi');
-INSERT into teams (name, score, hash) VALUES ('ccc', 0, '$2a$12$uW7DWD3n497ZlVA1gJiuhOftfIudF/nINoiQKwm2/3rnvjuCg6Ldy');
+INSERT into teams (name, score, hash, last_click, spamming) VALUES ('aaa', 0, '$2a$04$v6PKN3tpOyaiKV/3VZOjh.RRoDUDvITVLZuSwhzyRVbK82ANFMQOi', 10000, 0);
+INSERT into teams (name, score, hash, last_click, spamming) VALUES ('bbb', 0, '$2a$12$ydNsdi763MvDytMGdiBNE.rqWeoJxx9pRYHKyIRZ3l/E.x6pLOLmi', 10000, 0);
+INSERT into teams (name, score, hash, last_click, spamming) VALUES ('ccc', 0, '$2a$12$uW7DWD3n497ZlVA1gJiuhOftfIudF/nINoiQKwm2/3rnvjuCg6Ldy', 10000, 0);

src/button.py

@@ -18,6 +18,8 @@
 db = sqlite3.connect(app_dir + '/../database.db')
 #TODO Change this to 1800 for production
 time_in_round = 1800
+min_time_between_clicks = 1
+spam_ban_time = 10
 flag_index = 0
 
 class BaseHandler(tornado.web.RequestHandler):
@@ -48,6 +50,31 @@ def post(self):
         if(str(md5.new(team + captcha + captcha_id).hexdigest()) != token):
             raise tornado.web.HTTPError(403)
 
+        # is the team being spammy?
+        now = time.time()
+        cursor = db.cursor()
+        packaged = (team, ) #no idea why you have to do this
+        cursor.execute("SELECT * from teams WHERE name=? LIMIT 1", packaged)
+        row = cursor.fetchone()
+        if not row:
+            raise tornado.web.HTTPError(403)
+        last_click = row[4]
+        spamming = row[5]
+
+        since_last_click = now - last_click
+
+        if (spamming != 0):
+            if (since_last_click > spam_ban_time):
+                self.set_spamming(team, 0)
+            else:
+                raise tornado.web.HTTPError(403)
+        else:
+            if (since_last_click < min_time_between_clicks):
+                self.set_spamming(team, 1)
+                raise tornado.web.HTTPError(403)
+
+        self.set_click_time(team, now)
+
         #check the captcha
         captcha_id_int = int(captcha_id)
         captcha_answer = captchas[captcha_id_int]
@@ -72,6 +99,18 @@ def get(self):
         teamname = self.get_current_user()
         self.render(app_dir + "/public/button.html", scoreboard=scoreboard, teamname=teamname)
 
+    def set_spamming(self, team, spamming):
+        cursor = db.cursor()
+        packaged = (spamming, team) #no idea why you have to do this
+        cursor.execute("UPDATE teams SET spamming=? WHERE name=?", packaged)
+        db.commit()
+
+    def set_click_time(self, team, now):
+        cursor = db.cursor()
+        packaged = (now, team) #no idea why you have to do this
+        cursor.execute("UPDATE teams SET last_click=? WHERE name=?", packaged)
+        db.commit()
+
 class ScoreSocketHandler(tornado.websocket.WebSocketHandler):
     buttoneers = set()