Merge pull request #4200 from nextcloud/fix/anon-rate-throttle

fix: Properly throttle in error cases and add rate limit for public file creation

lib/Controller/DocumentAPIController.php

@@ -13,6 +13,7 @@ use OCA\Richdocuments\AppInfo\Application;
 use OCA\Richdocuments\Helper;
 use OCA\Richdocuments\TemplateManager;
 use OCP\AppFramework\Http;
+use OCP\AppFramework\Http\Attribute\AnonRateLimit;
 use OCP\AppFramework\Http\Attribute\BruteForceProtection;
 use OCP\AppFramework\Http\Attribute\NoAdminRequired;
 use OCP\AppFramework\Http\Attribute\PublicPage;
@@ -57,6 +58,7 @@ class DocumentAPIController extends \OCP\AppFramework\OCSController {
 	#[NoAdminRequired]
 	#[PublicPage]
 	#[BruteForceProtection(action: 'richdocumentsCreatePublic')]
+	#[AnonRateLimit(limit: 5, period: 120)]
 	public function create(string $mimeType, string $fileName, string $directoryPath = '/', ?string $shareToken = null, ?int $templateId = null): JSONResponse {
 		try {
 			if ($shareToken !== null) {
@@ -83,10 +85,12 @@ class DocumentAPIController extends \OCP\AppFramework\OCSController {
 			}
 		} catch (Throwable $e) {
 			$this->logger->error('Failed to create document', ['exception' => $e]);
-			return new JSONResponse([
+			$response = new JSONResponse([
 				'status' => 'error',
 				'message' => $this->l10n->t('Cannot create document')
 			], Http::STATUS_BAD_REQUEST);
+			$response->throttle();
+			return $response;
 		}
 
 		$basename = $this->l10n->t('New Document.odt');