khanh.pndc/nextcloud-docs
1
0
Fork 0
mirror of https://github.com/nextcloud/documentation.git synced 2026-01-03 02:09:45 +07:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #411 from nextcloud/add-documentation-rate-limiting

Browse Source 
Add documentation for rate limiting
This commit is contained in:
Morris Jobke
2017-04-13 12:44:18 -05:00
committed by GitHub
parent bbe260ee42 a0f6beaec7
commit 0c4456a40e
2 changed files with 32 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

34
developer_manual/app/controllers.rst
View File

@@ -729,9 +729,6 @@ Each response subclass has access to the **setStatus** method which lets you set
}
Authentication
==============
By default every controller method enforces the maximum security, which is:
@@ -771,4 +768,35 @@ A controller method that turns off all checks would look like this:
}
Rate limiting
=============
Nextcloud supports rate limiting on a controller method basis. By default controller methods are not rate limited. Rate limiting should be used on expensive or security sensitive functions (e.g. password resets) to increase the overall security of your application.
The native rate limiting will return a 429 status code to clients when the limit is reached and a default Nextcloud error page. When implementing rate limiting in your application, you should thus consider handling error situations where a 429 is returned by Nextcloud.
To enable rate limiting the following *Annotations* can be added to the controller:
* **@UserRateThrottle(limit=int, period=int)**: The rate limiting that is applied to logged-in users. If not specified Nextcloud will fallback to AnonUserRateThrottle.
* **@AnonRateThrottle(limit=int, period=int)**: The rate limiting that is applied to guests.
A controller method that would allow five requests for logged-in users and one request for anonymous users within the last 100 seconds would look as following:
.. code-block:: php
<?php
namespace OCA\MyApp\Controller;
use OCP\IRequest;
use OCP\AppFramework\Controller;
class PageController extends Controller {
/**
* @PublicPage
* @UserRateThrottle(limit=5, period=100)
* @AnonRateThrottle(limit=1, period=100)
*/
public function rateLimitedForAll() {
}
}

2
developer_manual/general/security.rst
View File

@@ -246,4 +246,4 @@ Always validate the URL before redirecting if the requested URL is on the same d
Getting help
------------
If you need help to ensure that a function is secure please ask on our `mailing list <https://mailman.owncloud.org/mailman/listinfo/devel>`_ or on our IRC channel **#nextcloud-dev** on **irc.freenode.net**.
If you need help to ensure that a function is secure please ask on our `forum <https://help.nextcloud.com>`_ or on our IRC channel **#nextcloud-dev** on **irc.freenode.net**.