Merge pull request #5683 from nextcloud/fix/appointments/rate-limit-c…

…onfig-creation-stable3.5 [stable3.5] fix(appointments): Rate limit config creation and booking
nextcloud-releases · Jan 10, 2024 · e7613e1 · e7613e1
2 parents af21e82 + f60459f
commit e7613e1
Show file tree

Hide file tree

Showing 5 changed files with 36 additions and 2 deletions.
diff --git a/lib/Controller/AppointmentConfigController.php b/lib/Controller/AppointmentConfigController.php
@@ -35,6 +35,7 @@
 use OCA\Calendar\Service\Appointments\AppointmentConfigService;
 use OCP\AppFramework\Controller;
 use OCP\AppFramework\Http;
+use OCP\AppFramework\Http\Attribute\UserRateLimit;
 use OCP\IRequest;
 use Psr\Log\LoggerInterface;
 use function array_keys;
@@ -148,7 +149,9 @@ private function validateAvailability(array $availability): void {
 	 * @param int|null $end
 	 * @param int|null $futureLimit
 	 * @return JsonResponse
+	 * @UserRateThrottle(limit=10, period=1200)
 	 */
+	#[UserRateLimit(limit: 10, period: 1200)]
 	public function create(
 		string $name,
 		string $description,

diff --git a/lib/Controller/BookingController.php b/lib/Controller/BookingController.php
@@ -38,6 +38,8 @@
 use OCA\Calendar\Service\Appointments\BookingService;
 use OCP\AppFramework\Controller;
 use OCP\AppFramework\Http;
+use OCP\AppFramework\Http\Attribute\AnonRateLimit;
+use OCP\AppFramework\Http\Attribute\UserRateLimit;
 use OCP\AppFramework\Http\TemplateResponse;
 use OCP\AppFramework\Services\IInitialState;
 use OCP\AppFramework\Utility\ITimeFactory;
@@ -163,7 +165,12 @@ public function getBookableSlots(int $appointmentConfigId,
 	 * @param string $description
 	 * @param string $timeZone
 	 * @return JsonResponse
+	 *
+	 * @AnonRateThrottle(limit=10, period=1200)
+	 * @UserRateThrottle(limit=10, period=300)
 	 */
+	#[AnonRateLimit(limit: 10, period: 1200)]
+	#[UserRateLimit(limit: 10, period: 300)]
 	public function bookSlot(int $appointmentConfigId,
 							 int $start,
 							 int $end,

diff --git a/src/components/AppointmentConfigModal.vue b/src/components/AppointmentConfigModal.vue
@@ -127,7 +127,10 @@
 						</div>
 					</fieldset>
 				</div>
-				<button class="primary appointment-config-modal__submit-button"
+				<div v-if="rateLimitingReached">
+					{{ t('calendar', 'It seems a rate limit has been reached. Please try again later.') }}
+				</div>
+				<button class="appointment-config-modal__submit-button"
 					:disabled="!editing.name || editing.length === 0"
 					@click="save">
 					{{ saveButtonText }}
@@ -184,6 +187,7 @@ export default {
 			enablePreparationDuration: false,
 			enableFollowupDuration: false,
 			enableFutureLimit: false,
+			rateLimitingReached: false,
 			showConfirmation: false,
 		}
 	},
@@ -267,6 +271,8 @@ export default {
 			this.editing.calendarFreeBusyUris = this.editing.calendarFreeBusyUris.filter(uri => uri !== this.calendarUrlToUri(calendar.url))
 		},
 		async save() {
+			this.rateLimitingReached = false
+
 			if (!this.enablePreparationDuration) {
 				this.editing.preparationDuration = this.defaultConfig.preparationDuration
 			}
@@ -292,6 +298,9 @@ export default {
 				}
 				this.showConfirmation = true
 			} catch (error) {
+				if (error?.response?.status === 429) {
+					this.rateLimitingReached = true
+				}
 				logger.error('Failed to save config', { error, config, isNew: this.isNew })
 			}
 		},

diff --git a/src/components/Appointments/AppointmentDetails.vue b/src/components/Appointments/AppointmentDetails.vue
@@ -50,6 +50,10 @@
 							autocomplete="off" />
 					</div>
 				</div>
+				<div v-if="showRateLimitingWarning"
+					class="booking-error">
+					{{ $t('calendar', 'It seems a rate limit has been reached. Please try again later.') }}
+				</div>
 				<div v-if="showError"
 					class="booking-error">
 					{{ $t('calendar', 'Could not book the appointment. Please try again later or contact the organizer.') }}
@@ -101,6 +105,10 @@ export default {
 			required: true,
 			type: String,
 		},
+		showRateLimitingWarning: {
+			required: true,
+			type: Boolean,
+		},
 		showError: {
 			required: true,
 			type: Boolean,

diff --git a/src/views/Appointments/Booking.vue b/src/views/Appointments/Booking.vue
@@ -73,6 +73,7 @@
 				:visitor-info="visitorInfo"
 				:time-zone-id="timeZone"
 				:show-error="bookingError"
+				:show-rate-limiting-warning="bookingRateLimit"
 				@save="onSave"
 				@close="selectedSlot = undefined" />
 		</div>
@@ -146,6 +147,7 @@ export default {
 			selectedSlot: undefined,
 			bookingConfirmed: false,
 			bookingError: false,
+			bookingRateLimit: false,
 		}
 	},
 	watch: {
@@ -206,6 +208,7 @@ export default {
 			})
 
 			this.bookingError = false
+			this.bookingRateLimit = false
 			try {
 				await bookSlot(this.config, slot, displayName, email, description, timeZone)
 
@@ -215,7 +218,11 @@ export default {
 				this.bookingConfirmed = true
 			} catch (e) {
 				console.error('could not book appointment', e)
-				this.bookingError = true
+				if (e?.response?.status === 429) {
+					this.bookingRateLimit = true
+				} else {
+					this.bookingError = true
+				}
 			}
 		},
 		onSlotClicked(slot) {