From 96721120f7f30ae486be7bc2bc03c62db856c48f Mon Sep 17 00:00:00 2001
From: Julius Knorr <jus@bitgrid.net>
Date: Thu, 7 Nov 2024 09:59:47 +0100
Subject: [PATCH] fix: Properly throttle in error cases and add rate limit for
 public file creation

Signed-off-by: Julius Knorr <jus@bitgrid.net>
---
 lib/Controller/DocumentAPIController.php | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/lib/Controller/DocumentAPIController.php b/lib/Controller/DocumentAPIController.php
index b6a495bc13..d1975243f9 100644
--- a/lib/Controller/DocumentAPIController.php
+++ b/lib/Controller/DocumentAPIController.php
@@ -30,6 +30,7 @@
 use OCA\Richdocuments\Helper;
 use OCA\Richdocuments\TemplateManager;
 use OCP\AppFramework\Http;
+use OCP\AppFramework\Http\Attribute\AnonRateLimit;
 use OCP\AppFramework\Http\Attribute\BruteForceProtection;
 use OCP\AppFramework\Http\Attribute\NoAdminRequired;
 use OCP\AppFramework\Http\Attribute\PublicPage;
@@ -74,6 +75,7 @@ public function __construct(
 	#[NoAdminRequired]
 	#[PublicPage]
 	#[BruteForceProtection(action: 'richdocumentsCreatePublic')]
+	#[AnonRateLimit(limit: 5, period: 120)]
 	public function create(string $mimeType, string $fileName, string $directoryPath = '/', ?string $shareToken = null, ?int $templateId = null): JSONResponse {
 		try {
 			if ($shareToken !== null) {
@@ -100,10 +102,12 @@ public function create(string $mimeType, string $fileName, string $directoryPath
 			}
 		} catch (Throwable $e) {
 			$this->logger->error('Failed to create document', ['exception' => $e]);
-			return new JSONResponse([
+			$response = new JSONResponse([
 				'status' => 'error',
 				'message' => $this->l10n->t('Cannot create document')
 			], Http::STATUS_BAD_REQUEST);
+			$response->throttle();
+			return $response;
 		}
 
 		$basename = $this->l10n->t('New Document.odt');