chore: use "app_api" session key, "app_api_system" is deprecated

Signed-off-by: Alexander Piskun <bigcat88@icloud.com>
nextcloud · Jul 18, 2024 · 960cfa5 · 960cfa5
1 parent b09347a
commit 960cfa5
Showing 1 changed file with 3 additions and 2 deletions.
diff --git a/lib/private/AppFramework/Middleware/Security/RateLimitingMiddleware.php b/lib/private/AppFramework/Middleware/Security/RateLimitingMiddleware.php
@@ -11,6 +11,7 @@
 use OC\AppFramework\Utility\ControllerMethodReflector;
 use OC\Security\RateLimiting\Exception\RateLimitExceededException;
 use OC\Security\RateLimiting\Limiter;
+use OC\User\Session;
 use OCP\AppFramework\Controller;
 use OCP\AppFramework\Http\Attribute\AnonRateLimit;
 use OCP\AppFramework\Http\Attribute\ARateLimit;
@@ -63,8 +64,8 @@ public function beforeController(Controller $controller, string $methodName): vo
 		parent::beforeController($controller, $methodName);
 		$rateLimitIdentifier = get_class($controller) . '::' . $methodName;
 
-		if ($this->session->exists('app_api_system')) {
-			// Bypass rate limiting for app_api
+		if ($this->userSession instanceof Session && $this->userSession->getSession()->get('app_api') === true && $this->userSession->getUser() === null) {
+			# if userId is not specified and the request is authenticated by AppAPI, we skip the rate limit
 			return;
 		}