From f60459fe998d830f50cb722de0cc3f4d4191f9b5 Mon Sep 17 00:00:00 2001
From: Christoph Wurst <christoph@winzerhof-wurst.at>
Date: Thu, 4 Jan 2024 10:04:35 +0100
Subject: [PATCH] fix(appointments): Rate limit config creation and booking

Abusing the appointment config endpoint can lead to additional server
load. Sending bulks of booking requests can lead to mass notifications
and emails and server load, too.

Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
---
 lib/Controller/AppointmentConfigController.php     |  3 +++
 lib/Controller/BookingController.php               |  7 +++++++
 src/components/AppointmentConfigModal.vue          | 11 ++++++++++-
 src/components/Appointments/AppointmentDetails.vue |  8 ++++++++
 src/views/Appointments/Booking.vue                 |  9 ++++++++-
 5 files changed, 36 insertions(+), 2 deletions(-)

diff --git a/lib/Controller/AppointmentConfigController.php b/lib/Controller/AppointmentConfigController.php
index 8af29cb7d..33b131040 100644
--- a/lib/Controller/AppointmentConfigController.php
+++ b/lib/Controller/AppointmentConfigController.php
@@ -35,6 +35,7 @@
 use OCA\Calendar\Service\Appointments\AppointmentConfigService;
 use OCP\AppFramework\Controller;
 use OCP\AppFramework\Http;
+use OCP\AppFramework\Http\Attribute\UserRateLimit;
 use OCP\IRequest;
 use Psr\Log\LoggerInterface;
 use function array_keys;
@@ -148,7 +149,9 @@ private function validateAvailability(array $availability): void {
 	 * @param int|null $end
 	 * @param int|null $futureLimit
 	 * @return JsonResponse
+	 * @UserRateThrottle(limit=10, period=1200)
 	 */
+	#[UserRateLimit(limit: 10, period: 1200)]
 	public function create(
 		string $name,
 		string $description,
diff --git a/lib/Controller/BookingController.php b/lib/Controller/BookingController.php
index 4339c1430..f1142d919 100644
--- a/lib/Controller/BookingController.php
+++ b/lib/Controller/BookingController.php
@@ -38,6 +38,8 @@
 use OCA\Calendar\Service\Appointments\BookingService;
 use OCP\AppFramework\Controller;
 use OCP\AppFramework\Http;
+use OCP\AppFramework\Http\Attribute\AnonRateLimit;
+use OCP\AppFramework\Http\Attribute\UserRateLimit;
 use OCP\AppFramework\Http\TemplateResponse;
 use OCP\AppFramework\Services\IInitialState;
 use OCP\AppFramework\Utility\ITimeFactory;
@@ -163,7 +165,12 @@ public function getBookableSlots(int $appointmentConfigId,
 	 * @param string $description
 	 * @param string $timeZone
 	 * @return JsonResponse
+	 *
+	 * @AnonRateThrottle(limit=10, period=1200)
+	 * @UserRateThrottle(limit=10, period=300)
 	 */
+	#[AnonRateLimit(limit: 10, period: 1200)]
+	#[UserRateLimit(limit: 10, period: 300)]
 	public function bookSlot(int $appointmentConfigId,
 							 int $start,
 							 int $end,
diff --git a/src/components/AppointmentConfigModal.vue b/src/components/AppointmentConfigModal.vue
index 4e4975ab2..30defdbff 100644
--- a/src/components/AppointmentConfigModal.vue
+++ b/src/components/AppointmentConfigModal.vue
@@ -127,7 +127,10 @@
 						</div>
 					</fieldset>
 				</div>
-				<button class="primary appointment-config-modal__submit-button"
+				<div v-if="rateLimitingReached">
+					{{ t('calendar', 'It seems a rate limit has been reached. Please try again later.') }}
+				</div>
+				<button class="appointment-config-modal__submit-button"
 					:disabled="!editing.name || editing.length === 0"
 					@click="save">
 					{{ saveButtonText }}
@@ -184,6 +187,7 @@ export default {
 			enablePreparationDuration: false,
 			enableFollowupDuration: false,
 			enableFutureLimit: false,
+			rateLimitingReached: false,
 			showConfirmation: false,
 		}
 	},
@@ -267,6 +271,8 @@ export default {
 			this.editing.calendarFreeBusyUris = this.editing.calendarFreeBusyUris.filter(uri => uri !== this.calendarUrlToUri(calendar.url))
 		},
 		async save() {
+			this.rateLimitingReached = false
+
 			if (!this.enablePreparationDuration) {
 				this.editing.preparationDuration = this.defaultConfig.preparationDuration
 			}
@@ -292,6 +298,9 @@ export default {
 				}
 				this.showConfirmation = true
 			} catch (error) {
+				if (error?.response?.status === 429) {
+					this.rateLimitingReached = true
+				}
 				logger.error('Failed to save config', { error, config, isNew: this.isNew })
 			}
 		},
diff --git a/src/components/Appointments/AppointmentDetails.vue b/src/components/Appointments/AppointmentDetails.vue
index cf7ae7b4f..f1797160d 100644
--- a/src/components/Appointments/AppointmentDetails.vue
+++ b/src/components/Appointments/AppointmentDetails.vue
@@ -50,6 +50,10 @@
 							autocomplete="off" />
 					</div>
 				</div>
+				<div v-if="showRateLimitingWarning"
+					class="booking-error">
+					{{ $t('calendar', 'It seems a rate limit has been reached. Please try again later.') }}
+				</div>
 				<div v-if="showError"
 					class="booking-error">
 					{{ $t('calendar', 'Could not book the appointment. Please try again later or contact the organizer.') }}
@@ -101,6 +105,10 @@ export default {
 			required: true,
 			type: String,
 		},
+		showRateLimitingWarning: {
+			required: true,
+			type: Boolean,
+		},
 		showError: {
 			required: true,
 			type: Boolean,
diff --git a/src/views/Appointments/Booking.vue b/src/views/Appointments/Booking.vue
index 5f5df28b9..617206a8c 100644
--- a/src/views/Appointments/Booking.vue
+++ b/src/views/Appointments/Booking.vue
@@ -73,6 +73,7 @@
 				:visitor-info="visitorInfo"
 				:time-zone-id="timeZone"
 				:show-error="bookingError"
+				:show-rate-limiting-warning="bookingRateLimit"
 				@save="onSave"
 				@close="selectedSlot = undefined" />
 		</div>
@@ -146,6 +147,7 @@ export default {
 			selectedSlot: undefined,
 			bookingConfirmed: false,
 			bookingError: false,
+			bookingRateLimit: false,
 		}
 	},
 	watch: {
@@ -206,6 +208,7 @@ export default {
 			})
 
 			this.bookingError = false
+			this.bookingRateLimit = false
 			try {
 				await bookSlot(this.config, slot, displayName, email, description, timeZone)
 
@@ -215,7 +218,11 @@ export default {
 				this.bookingConfirmed = true
 			} catch (e) {
 				console.error('could not book appointment', e)
-				this.bookingError = true
+				if (e?.response?.status === 429) {
+					this.bookingRateLimit = true
+				} else {
+					this.bookingError = true
+				}
 			}
 		},
 		onSlotClicked(slot) {