fix(appointments): Rate limit config creation and booking

Abusing the appointment config endpoint can lead to additional server load. Sending bulks of booking requests can lead to mass notifications and emails and server load, too. Signed-off-by: Christoph Wurst <[email protected]>
nextcloud · Jan 10, 2024 · dd0f551 · dd0f551
1 parent af21e82
commit dd0f551
Show file tree

Hide file tree

Showing 5 changed files with 36 additions and 2 deletions.
diff --git a/lib/Controller/AppointmentConfigController.php b/lib/Controller/AppointmentConfigController.php
@@ -35,6 +35,7 @@
 use OCA\Calendar\Service\Appointments\AppointmentConfigService;
 use OCP\AppFramework\Controller;
 use OCP\AppFramework\Http;
+use OCP\AppFramework\Http\Attribute\UserRateLimit;
 use OCP\IRequest;
 use Psr\Log\LoggerInterface;
 use function array_keys;
@@ -148,7 +149,9 @@ private function validateAvailability(array $availability): void {
 	 * @param int|null $end
 	 * @param int|null $futureLimit
 	 * @return JsonResponse
+	 * @UserRateThrottle(limit=10, period=1200)
 	 */
+	#[UserRateLimit(limit: 10, period: 1200)]
 	public function create(
 		string $name,
 		string $description,

diff --git a/lib/Controller/BookingController.php b/lib/Controller/BookingController.php
@@ -38,6 +38,8 @@
 use OCA\Calendar\Service\Appointments\BookingService;
 use OCP\AppFramework\Controller;
 use OCP\AppFramework\Http;
+use OCP\AppFramework\Http\Attribute\AnonRateLimit;
+use OCP\AppFramework\Http\Attribute\UserRateLimit;
 use OCP\AppFramework\Http\TemplateResponse;
 use OCP\AppFramework\Services\IInitialState;
 use OCP\AppFramework\Utility\ITimeFactory;
@@ -163,7 +165,12 @@ public function getBookableSlots(int $appointmentConfigId,
 	 * @param string $description
 	 * @param string $timeZone
 	 * @return JsonResponse
+	 *
+	 * @AnonRateThrottle(limit=10, period=1200)
+	 * @UserRateThrottle(limit=10, period=300)
 	 */
+	#[AnonRateLimit(limit: 10, period: 1200)]
+	#[UserRateLimit(limit: 10, period: 300)]
 	public function bookSlot(int $appointmentConfigId,
 							 int $start,
 							 int $end,

diff --git a/src/components/AppointmentConfigModal.vue b/src/components/AppointmentConfigModal.vue
@@ -127,7 +127,10 @@
 						</div>
 					</fieldset>
 				</div>
-				<button class="primary appointment-config-modal__submit-button"
+				<div v-if="rateLimitingReached">
+					{{ t('calendar', 'It seems a rate limit has been reached. Please try again later.') }}
+				</div>
+				<button class="appointment-config-modal__submit-button"
 					:disabled="!editing.name || editing.length === 0"
 					@click="save">
 					{{ saveButtonText }}
@@ -184,6 +187,7 @@ export default {
 			enablePreparationDuration: false,
 			enableFollowupDuration: false,
 			enableFutureLimit: false,
+			rateLimitingReached: false,
 			showConfirmation: false,
 		}
 	},
@@ -267,6 +271,8 @@ export default {
 			this.editing.calendarFreeBusyUris = this.editing.calendarFreeBusyUris.filter(uri => uri !== this.calendarUrlToUri(calendar.url))
 		},
 		async save() {
+			this.rateLimitingReached = false
+
 			if (!this.enablePreparationDuration) {
 				this.editing.preparationDuration = this.defaultConfig.preparationDuration
 			}
@@ -292,6 +298,9 @@ export default {
 				}
 				this.showConfirmation = true
 			} catch (error) {
+				if (error?.response?.status === 429) {
+					this.rateLimitingReached = true
+				}
 				logger.error('Failed to save config', { error, config, isNew: this.isNew })
 			}
 		},

diff --git a/src/components/Appointments/AppointmentDetails.vue b/src/components/Appointments/AppointmentDetails.vue
@@ -50,6 +50,10 @@
 							autocomplete="off" />
 					</div>
 				</div>
+				<div v-if="showRateLimitingWarning"
+					class="booking-error">
+					{{ $t('calendar', 'It seems a rate limit has been reached. Please try again later.') }}
+				</div>
 				<div v-if="showError"
 					class="booking-error">
 					{{ $t('calendar', 'Could not book the appointment. Please try again later or contact the organizer.') }}
@@ -101,6 +105,10 @@ export default {
 			required: true,
 			type: String,
 		},
+		showRateLimitingWarning: {
+			required: true,
+			type: Boolean,
+		},
 		showError: {
 			required: true,
 			type: Boolean,

diff --git a/src/views/Appointments/Booking.vue b/src/views/Appointments/Booking.vue
@@ -73,6 +73,7 @@
 				:visitor-info="visitorInfo"
 				:time-zone-id="timeZone"
 				:show-error="bookingError"
+					:show-rate-limiting-warning="bookingRateLimit"
 				@save="onSave"
 				@close="selectedSlot = undefined" />
 		</div>
@@ -146,6 +147,7 @@ export default {
 			selectedSlot: undefined,
 			bookingConfirmed: false,
 			bookingError: false,
+			bookingRateLimit: false,
 		}
 	},
 	watch: {
@@ -206,6 +208,7 @@ export default {
 			})
 
 			this.bookingError = false
+			this.bookingRateLimit = false
 			try {
 				await bookSlot(this.config, slot, displayName, email, description, timeZone)
 
@@ -215,7 +218,11 @@ export default {
 				this.bookingConfirmed = true
 			} catch (e) {
 				console.error('could not book appointment', e)
-				this.bookingError = true
+				if (e?.response?.status === 429) {
+					this.bookingRateLimit = true
+				} else {
+					this.bookingError = true
+				}
 			}
 		},
 		onSlotClicked(slot) {