diff options
author | Joas Schilling <213943+nickvergessen@users.noreply.github.com> | 2024-03-19 09:32:57 +0100 |
---|---|---|
committer | GitHub <noreply@github.com> | 2024-03-19 09:32:57 +0100 |
commit | 6101abbb2dd9408cdda666ec491751447dc1ab07 (patch) | |
tree | fe1159ae7f239c8967b7e30d47d868c4e34c36e9 | |
parent | cfca735056287d5de2c2d4b9feed7bf1a5c323e0 (diff) | |
parent | f3a4abd98cc84f3ecdfd4421015d310a731ecb2d (diff) | |
download | nextcloud-server-6101abbb2dd9408cdda666ec491751447dc1ab07.tar.gz nextcloud-server-6101abbb2dd9408cdda666ec491751447dc1ab07.zip |
Merge pull request #44154 from nextcloud/enh/appapi-rate-limit-bypass
Added rate limit bypass for app_api requests
3 files changed, 14 insertions, 2 deletions
diff --git a/lib/private/AppFramework/DependencyInjection/DIContainer.php b/lib/private/AppFramework/DependencyInjection/DIContainer.php index a5273d2f335..5fff0aec9d8 100644 --- a/lib/private/AppFramework/DependencyInjection/DIContainer.php +++ b/lib/private/AppFramework/DependencyInjection/DIContainer.php @@ -302,7 +302,8 @@ class DIContainer extends SimpleContainer implements IAppContainer { $c->get(IRequest::class), $c->get(IUserSession::class), $c->get(IControllerMethodReflector::class), - $c->get(OC\Security\RateLimiting\Limiter::class) + $c->get(OC\Security\RateLimiting\Limiter::class), + $c->get(ISession::class) ) ); $dispatcher->registerMiddleware( diff --git a/lib/private/AppFramework/Middleware/Security/RateLimitingMiddleware.php b/lib/private/AppFramework/Middleware/Security/RateLimitingMiddleware.php index 6f84a0c94d0..ffaa0cd19cb 100644 --- a/lib/private/AppFramework/Middleware/Security/RateLimitingMiddleware.php +++ b/lib/private/AppFramework/Middleware/Security/RateLimitingMiddleware.php @@ -40,6 +40,7 @@ use OCP\AppFramework\Http\Response; use OCP\AppFramework\Http\TemplateResponse; use OCP\AppFramework\Middleware; use OCP\IRequest; +use OCP\ISession; use OCP\IUserSession; use ReflectionMethod; @@ -70,6 +71,7 @@ class RateLimitingMiddleware extends Middleware { protected IUserSession $userSession, protected ControllerMethodReflector $reflector, protected Limiter $limiter, + protected ISession $session, ) { } @@ -81,6 +83,11 @@ class RateLimitingMiddleware extends Middleware { parent::beforeController($controller, $methodName); $rateLimitIdentifier = get_class($controller) . '::' . $methodName; + if ($this->session->exists('app_api_system')) { + // Bypass rate limiting for app_api + return; + } + if ($this->userSession->isLoggedIn()) { $rateLimit = $this->readLimitFromAnnotationOrAttribute($controller, $methodName, 'UserRateThrottle', UserRateLimit::class); diff --git a/tests/lib/AppFramework/Middleware/Security/RateLimitingMiddlewareTest.php b/tests/lib/AppFramework/Middleware/Security/RateLimitingMiddlewareTest.php index 47d479b18a1..c0988ff5a11 100644 --- a/tests/lib/AppFramework/Middleware/Security/RateLimitingMiddlewareTest.php +++ b/tests/lib/AppFramework/Middleware/Security/RateLimitingMiddlewareTest.php @@ -37,6 +37,7 @@ use OCP\AppFramework\Http\Attribute\UserRateLimit; use OCP\AppFramework\Http\DataResponse; use OCP\AppFramework\Http\TemplateResponse; use OCP\IRequest; +use OCP\ISession; use OCP\IUser; use OCP\IUserSession; use PHPUnit\Framework\MockObject\MockObject; @@ -77,6 +78,7 @@ class RateLimitingMiddlewareTest extends TestCase { private IUserSession|MockObject $userSession; private ControllerMethodReflector $reflector; private Limiter|MockObject $limiter; + private ISession|MockObject $session; private RateLimitingMiddleware $rateLimitingMiddleware; protected function setUp(): void { @@ -86,12 +88,14 @@ class RateLimitingMiddlewareTest extends TestCase { $this->userSession = $this->createMock(IUserSession::class); $this->reflector = new ControllerMethodReflector(); $this->limiter = $this->createMock(Limiter::class); + $this->session = $this->createMock(ISession::class); $this->rateLimitingMiddleware = new RateLimitingMiddleware( $this->request, $this->userSession, $this->reflector, - $this->limiter + $this->limiter, + $this->session ); } |