Merge pull request #56346 from nextcloud/feat/noid/allow-overwriting-rate-limit

nickvergessen · web-flow · commit 49324bcb21fd · 2025-11-12T10:09:16.000+01:00
feat(rate-limit): Allow overwriting the rate limit
diff --git a/config/config.sample.php b/config/config.sample.php
@@ -473,6 +473,30 @@
 	 */
 	'ratelimit.protection.enabled' => true,
 
+	/**
+	 * Overwrite the individual rate limit for a specific route
+	 *
+	 * From time to time it can be necessary to extend the rate limit of a specific route,
+	 * depending on your usage pattern or when you script some actions.
+	 * Instead of completely disabling the rate limit or excluding an IP address from the
+	 * rate limit, the following config allows to overwrite the rate limit duration and period.
+	 *
+	 * The first level key is the name of the route. You can find the route name from a URL
+	 * using the ``occ router:list`` command of your server.
+	 *
+	 * You can also specify different limits for logged-in users with the ``user`` key
+	 * and not-logged-in users with the ``anon`` key. However, if there is no specific ``user`` limit,
+	 * the ``anon`` limit is also applied for logged-in users.
+	 *
+	 * Defaults to empty array ``[]``
+	 */
+	'ratelimit_overwrite' => [
+		'profile.profilepage.index' => [
+			'user' => ['limit' => 300, 'period' => 3600],
+			'anon' => ['limit' => 1, 'period' => 300],
+		]
+	],
+
 	/**
 	 * Size of subnet used to normalize IPv6
 	 *
diff --git a/lib/private/AppFramework/Middleware/Security/RateLimitingMiddleware.php b/lib/private/AppFramework/Middleware/Security/RateLimitingMiddleware.php
@@ -22,9 +22,11 @@
 use OCP\AppFramework\Http\TemplateResponse;
 use OCP\AppFramework\Middleware;
 use OCP\IAppConfig;
+use OCP\IConfig;
 use OCP\IRequest;
 use OCP\ISession;
 use OCP\IUserSession;
+use Psr\Log\LoggerInterface;
 use ReflectionMethod;
 
 /**
@@ -56,7 +58,9 @@ public function __construct(
 		protected Limiter $limiter,
 		protected ISession $session,
 		protected IAppConfig $appConfig,
+		protected IConfig $serverConfig,
 		protected BruteforceAllowList $bruteForceAllowList,
+		protected LoggerInterface $logger,
 	) {
 	}
 
@@ -74,7 +78,13 @@ public function beforeController(Controller $controller, string $methodName): vo
 		}
 
 		if ($this->userSession->isLoggedIn()) {
-			$rateLimit = $this->readLimitFromAnnotationOrAttribute($controller, $methodName, 'UserRateThrottle', UserRateLimit::class);
+			$rateLimit = $this->readLimitFromAnnotationOrAttribute(
+				$controller,
+				$methodName,
+				'UserRateThrottle',
+				UserRateLimit::class,
+				'user',
+			);
 
 			if ($rateLimit !== null) {
 				if ($this->appConfig->getValueBool('bruteforcesettings', 'apply_allowlist_to_ratelimit')
@@ -94,7 +104,13 @@ public function beforeController(Controller $controller, string $methodName): vo
 			// If not user specific rate limit is found the Anon rate limit applies!
 		}
 
-		$rateLimit = $this->readLimitFromAnnotationOrAttribute($controller, $methodName, 'AnonRateThrottle', AnonRateLimit::class);
+		$rateLimit = $this->readLimitFromAnnotationOrAttribute(
+			$controller,
+			$methodName,
+			'AnonRateThrottle',
+			AnonRateLimit::class,
+			'anon',
+		);
 
 		if ($rateLimit !== null) {
 			$this->limiter->registerAnonRequest(
@@ -115,7 +131,35 @@ public function beforeController(Controller $controller, string $methodName): vo
 	 * @param class-string<T> $attributeClass
 	 * @return ?ARateLimit
 	 */
-	protected function readLimitFromAnnotationOrAttribute(Controller $controller, string $methodName, string $annotationName, string $attributeClass): ?ARateLimit {
+	protected function readLimitFromAnnotationOrAttribute(Controller $controller, string $methodName, string $annotationName, string $attributeClass, string $overwriteKey): ?ARateLimit {
+		$rateLimitOverwrite = $this->serverConfig->getSystemValue('ratelimit_overwrite', []);
+		if (!empty($rateLimitOverwrite)) {
+			$controllerRef = new \ReflectionClass($controller);
+			$appName = $controllerRef->getProperty('appName')->getValue($controller);
+			$controllerName = substr($controller::class, strrpos($controller::class, '\\') + 1);
+			$controllerName = substr($controllerName, 0, 0 - strlen('Controller'));
+
+			$overwriteConfig = strtolower($appName . '.' . $controllerName . '.' . $methodName);
+			$rateLimitOverwriteForActionAndType = $rateLimitOverwrite[$overwriteConfig][$overwriteKey] ?? null;
+			if ($rateLimitOverwriteForActionAndType !== null) {
+				$isValid = isset($rateLimitOverwriteForActionAndType['limit'], $rateLimitOverwriteForActionAndType['period'])
+					&& $rateLimitOverwriteForActionAndType['limit'] > 0
+					&& $rateLimitOverwriteForActionAndType['period'] > 0;
+
+				if ($isValid) {
+					return new $attributeClass(
+						(int)$rateLimitOverwriteForActionAndType['limit'],
+						(int)$rateLimitOverwriteForActionAndType['period'],
+					);
+				}
+
+				$this->logger->warning('Rate limit overwrite on controller "{overwriteConfig}" for "{overwriteKey}" is invalid', [
+					'overwriteConfig' => $overwriteConfig,
+					'overwriteKey' => $overwriteKey,
+				]);
+			}
+		}
+
 		$annotationLimit = $this->reflector->getAnnotationParameter($annotationName, 'limit');
 		$annotationPeriod = $this->reflector->getAnnotationParameter($annotationName, 'period');
 
diff --git a/tests/lib/AppFramework/Middleware/Security/RateLimitingMiddlewareTest.php b/tests/lib/AppFramework/Middleware/Security/RateLimitingMiddlewareTest.php
@@ -17,11 +17,13 @@
 use OCP\AppFramework\Http\DataResponse;
 use OCP\AppFramework\Http\TemplateResponse;
 use OCP\IAppConfig;
+use OCP\IConfig;
 use OCP\IRequest;
 use OCP\ISession;
 use OCP\IUser;
 use OCP\IUserSession;
 use PHPUnit\Framework\MockObject\MockObject;
+use Psr\Log\LoggerInterface;
 use Test\AppFramework\Middleware\Security\Mock\RateLimitingMiddlewareController;
 use Test\TestCase;
 
@@ -33,7 +35,9 @@ class RateLimitingMiddlewareTest extends TestCase {
 	private Limiter|MockObject $limiter;
 	private ISession|MockObject $session;
 	private IAppConfig|MockObject $appConfig;
+	private IConfig|MockObject $serverConfig;
 	private BruteforceAllowList|MockObject $bruteForceAllowList;
+	private LoggerInterface|MockObject $logger;
 	private RateLimitingMiddleware $rateLimitingMiddleware;
 
 	protected function setUp(): void {
@@ -45,7 +49,9 @@ protected function setUp(): void {
 		$this->limiter = $this->createMock(Limiter::class);
 		$this->session = $this->createMock(ISession::class);
 		$this->appConfig = $this->createMock(IAppConfig::class);
+		$this->serverConfig = $this->createMock(IConfig::class);
 		$this->bruteForceAllowList = $this->createMock(BruteforceAllowList::class);
+		$this->logger = $this->createMock(LoggerInterface::class);
 
 		$this->rateLimitingMiddleware = new RateLimitingMiddleware(
 			$this->request,
@@ -54,7 +60,9 @@ protected function setUp(): void {
 			$this->limiter,
 			$this->session,
 			$this->appConfig,
+			$this->serverConfig,
 			$this->bruteForceAllowList,
+			$this->logger
 		);
 	}
 
