From dd0f55154cd588ac829cb11bdfd27b31b96fbdf3 Mon Sep 17 00:00:00 2001
From: Christoph Wurst <christoph@winzerhof-wurst.at>
Date: Thu, 4 Jan 2024 10:04:35 +0100
Subject: [PATCH] fix(appointments): Rate limit config creation and booking

Abusing the appointment config endpoint can lead to additional server
load. Sending bulks of booking requests can lead to mass notifications
and emails and server load, too.

Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
---
 lib/Controller/AppointmentConfigController.php     |  3 +++
 lib/Controller/BookingController.php               |  7 +++++++
 src/components/AppointmentConfigModal.vue          | 11 ++++++++++-
 src/components/Appointments/AppointmentDetails.vue |  8 ++++++++
 src/views/Appointments/Booking.vue                 |  9 ++++++++-
 5 files changed, 36 insertions(+), 2 deletions(-)

diff --git a/lib/Controller/AppointmentConfigController.php b/lib/Controller/AppointmentConfigController.php
index 8af29cb7db..33b1310408 100644
--- a/lib/Controller/AppointmentConfigController.php
+++ b/lib/Controller/AppointmentConfigController.php
@@ -35,6 +35,7 @@
 use OCA\Calendar\Service\Appointments\AppointmentConfigService;
 use OCP\AppFramework\Controller;
 use OCP\AppFramework\Http;
+use OCP\AppFramework\Http\Attribute\UserRateLimit;
 use OCP\IRequest;
 use Psr\Log\LoggerInterface;
 use function array_keys;
@@ -148,7 +149,9 @@ private function validateAvailability(array $availability): void {
 	 * @param int|null $end
 	 * @param int|null $futureLimit
 	 * @return JsonResponse
+	 * @UserRateThrottle(limit=10, period=1200)
 	 */
+	#[UserRateLimit(limit: 10, period: 1200)]
 	public function create(
 		string $name,
 		string $description,
diff --git a/lib/Controller/BookingController.php b/lib/Controller/BookingController.php
index 4339c14308..f1142d9194 100644
--- a/lib/Controller/BookingController.php
+++ b/lib/Controller/BookingController.php
@@ -38,6 +38,8 @@
 use OCA\Calendar\Service\Appointments\BookingService;
 use OCP\AppFramework\Controller;
 use OCP\AppFramework\Http;
+use OCP\AppFramework\Http\Attribute\AnonRateLimit;
+use OCP\AppFramework\Http\Attribute\UserRateLimit;
 use OCP\AppFramework\Http\TemplateResponse;
 use OCP\AppFramework\Services\IInitialState;
 use OCP\AppFramework\Utility\ITimeFactory;
@@ -163,7 +165,12 @@ public function getBookableSlots(int $appointmentConfigId,
 	 * @param string $description
 	 * @param string $timeZone
 	 * @return JsonResponse
+	 *
+	 * @AnonRateThrottle(limit=10, period=1200)
+	 * @UserRateThrottle(limit=10, period=300)
 	 */
+	#[AnonRateLimit(limit: 10, period: 1200)]
+	#[UserRateLimit(limit: 10, period: 300)]
 	public function bookSlot(int $appointmentConfigId,
 							 int $start,
 							 int $end,
diff --git a/src/components/AppointmentConfigModal.vue b/src/components/AppointmentConfigModal.vue
index 4e4975ab21..30defdbff0 100644
--- a/src/components/AppointmentConfigModal.vue
+++ b/src/components/AppointmentConfigModal.vue
@@ -127,7 +127,10 @@
 						</div>
 					</fieldset>
 				</div>
-				<button class="primary appointment-config-modal__submit-button"
+				<div v-if="rateLimitingReached">
+					{{ t('calendar', 'It seems a rate limit has been reached. Please try again later.') }}
+				</div>
+				<button class="appointment-config-modal__submit-button"
 					:disabled="!editing.name || editing.length === 0"
 					@click="save">
 					{{ saveButtonText }}
@@ -184,6 +187,7 @@ export default {
 			enablePreparationDuration: false,
 			enableFollowupDuration: false,
 			enableFutureLimit: false,
+			rateLimitingReached: false,
 			showConfirmation: false,
 		}
 	},
@@ -267,6 +271,8 @@ export default {
 			this.editing.calendarFreeBusyUris = this.editing.calendarFreeBusyUris.filter(uri => uri !== this.calendarUrlToUri(calendar.url))
 		},
 		async save() {
+			this.rateLimitingReached = false
+
 			if (!this.enablePreparationDuration) {
 				this.editing.preparationDuration = this.defaultConfig.preparationDuration
 			}
@@ -292,6 +298,9 @@ export default {
 				}
 				this.showConfirmation = true
 			} catch (error) {
+				if (error?.response?.status === 429) {
+					this.rateLimitingReached = true
+				}
 				logger.error('Failed to save config', { error, config, isNew: this.isNew })
 			}
 		},
diff --git a/src/components/Appointments/AppointmentDetails.vue b/src/components/Appointments/AppointmentDetails.vue
index cf7ae7b4f7..f1797160d9 100644
--- a/src/components/Appointments/AppointmentDetails.vue
+++ b/src/components/Appointments/AppointmentDetails.vue
@@ -50,6 +50,10 @@
 							autocomplete="off" />
 					</div>
 				</div>
+				<div v-if="showRateLimitingWarning"
+					class="booking-error">
+					{{ $t('calendar', 'It seems a rate limit has been reached. Please try again later.') }}
+				</div>
 				<div v-if="showError"
 					class="booking-error">
 					{{ $t('calendar', 'Could not book the appointment. Please try again later or contact the organizer.') }}
@@ -101,6 +105,10 @@ export default {
 			required: true,
 			type: String,
 		},
+		showRateLimitingWarning: {
+			required: true,
+			type: Boolean,
+		},
 		showError: {
 			required: true,
 			type: Boolean,
diff --git a/src/views/Appointments/Booking.vue b/src/views/Appointments/Booking.vue
index 5f5df28b9d..7dbab808c6 100644
--- a/src/views/Appointments/Booking.vue
+++ b/src/views/Appointments/Booking.vue
@@ -73,6 +73,7 @@
 				:visitor-info="visitorInfo"
 				:time-zone-id="timeZone"
 				:show-error="bookingError"
+					:show-rate-limiting-warning="bookingRateLimit"
 				@save="onSave"
 				@close="selectedSlot = undefined" />
 		</div>
@@ -146,6 +147,7 @@ export default {
 			selectedSlot: undefined,
 			bookingConfirmed: false,
 			bookingError: false,
+			bookingRateLimit: false,
 		}
 	},
 	watch: {
@@ -206,6 +208,7 @@ export default {
 			})
 
 			this.bookingError = false
+			this.bookingRateLimit = false
 			try {
 				await bookSlot(this.config, slot, displayName, email, description, timeZone)
 
@@ -215,7 +218,11 @@ export default {
 				this.bookingConfirmed = true
 			} catch (e) {
 				console.error('could not book appointment', e)
-				this.bookingError = true
+				if (e?.response?.status === 429) {
+					this.bookingRateLimit = true
+				} else {
+					this.bookingError = true
+				}
 			}
 		},
 		onSlotClicked(slot) {