fix: add check for app_api_system session flag to bypass rate limit

Signed-off-by: Florian Klinger <florian.klinger@nextcloud.com> Signed-off-by: Andrey Borysenko <andrey18106x@gmail.com>
author: Florian Klinger <florian.klinger@nextcloud.com> 2024-03-12 10:53:14 +0100
committer: Andrey Borysenko <andrey18106x@gmail.com> 2024-03-18 20:09:15 +0200
commit: f3a4abd98cc84f3ecdfd4421015d310a731ecb2d (patch)
tree: 72d7a0d019a6433f42b95fcc49f236837850e5ca /lib/private/AppFramework
parent: 133a17aa96f3778a8c527cf096eb5a575df24e84 (diff)
download: nextcloud-server-f3a4abd98cc84f3ecdfd4421015d310a731ecb2d.tar.gz
nextcloud-server-f3a4abd98cc84f3ecdfd4421015d310a731ecb2d.zip
2 files changed, 9 insertions, 1 deletions
diff --git a/lib/private/AppFramework/DependencyInjection/DIContainer.php b/lib/private/AppFramework/DependencyInjection/DIContainer.php
index a5273d2f335..5fff0aec9d8 100644
--- a/lib/private/AppFramework/DependencyInjection/DIContainer.php
+++ b/lib/private/AppFramework/DependencyInjection/DIContainer.php
@@ -302,7 +302,8 @@ class DIContainer extends SimpleContainer implements IAppContainer {
 					$c->get(IRequest::class),
 					$c->get(IUserSession::class),
 					$c->get(IControllerMethodReflector::class),
-					$c->get(OC\Security\RateLimiting\Limiter::class)
+					$c->get(OC\Security\RateLimiting\Limiter::class),
+					$c->get(ISession::class)
 				)
 			);
 			$dispatcher->registerMiddleware(
diff --git a/lib/private/AppFramework/Middleware/Security/RateLimitingMiddleware.php b/lib/private/AppFramework/Middleware/Security/RateLimitingMiddleware.php
index 6f84a0c94d0..ffaa0cd19cb 100644
--- a/lib/private/AppFramework/Middleware/Security/RateLimitingMiddleware.php
+++ b/lib/private/AppFramework/Middleware/Security/RateLimitingMiddleware.php
@@ -40,6 +40,7 @@ use OCP\AppFramework\Http\Response;
 use OCP\AppFramework\Http\TemplateResponse;
 use OCP\AppFramework\Middleware;
 use OCP\IRequest;
+use OCP\ISession;
 use OCP\IUserSession;
 use ReflectionMethod;
 
@@ -70,6 +71,7 @@ class RateLimitingMiddleware extends Middleware {
 		protected IUserSession $userSession,
 		protected ControllerMethodReflector $reflector,
 		protected Limiter $limiter,
+		protected ISession $session,
 	) {
 	}
 
@@ -81,6 +83,11 @@ class RateLimitingMiddleware extends Middleware {
 		parent::beforeController($controller, $methodName);
 		$rateLimitIdentifier = get_class($controller) . '::' . $methodName;
 
+		if ($this->session->exists('app_api_system')) {
+			// Bypass rate limiting for app_api
+			return;
+		}
+
 		if ($this->userSession->isLoggedIn()) {
 			$rateLimit = $this->readLimitFromAnnotationOrAttribute($controller, $methodName, 'UserRateThrottle', UserRateLimit::class);
author	Florian Klinger <florian.klinger@nextcloud.com>	2024-03-12 10:53:14 +0100
committer	Andrey Borysenko <andrey18106x@gmail.com>	2024-03-18 20:09:15 +0200
commit	f3a4abd98cc84f3ecdfd4421015d310a731ecb2d (patch)
tree	72d7a0d019a6433f42b95fcc49f236837850e5ca /lib/private/AppFramework
parent	133a17aa96f3778a8c527cf096eb5a575df24e84 (diff)
download	nextcloud-server-f3a4abd98cc84f3ecdfd4421015d310a731ecb2d.tar.gz nextcloud-server-f3a4abd98cc84f3ecdfd4421015d310a731ecb2d.zip