diff --git a/app/controllers/api/functions.php b/app/controllers/api/functions.php index 1a21dfb02c..35a807f949 100644 --- a/app/controllers/api/functions.php +++ b/app/controllers/api/functions.php @@ -629,6 +629,8 @@ App::post('/v1/functions/:functionId/executions') ->label('sdk.response.code', Response::STATUS_CODE_CREATED) ->label('sdk.response.type', Response::CONTENT_TYPE_JSON) ->label('sdk.response.model', Response::MODEL_EXECUTION) + ->label('abuse-limit', 60) + ->label('abuse-time', 60) ->param('functionId', '', new UID(), 'Function unique ID.') // ->param('async', 1, new Range(0, 1), 'Execute code asynchronously. Pass 1 for true, 0 for false. Default value is 1.', true) ->inject('response') diff --git a/app/controllers/api/users.php b/app/controllers/api/users.php index 9b124e0a90..76e20aad98 100644 --- a/app/controllers/api/users.php +++ b/app/controllers/api/users.php @@ -418,7 +418,6 @@ App::delete('/v1/users/:userId/sessions/:sessionId') ->label('sdk.response.code', Response::STATUS_CODE_NOCONTENT) ->label('sdk.response.type', Response::CONTENT_TYPE_JSON) ->label('sdk.response.model', Response::MODEL_NONE) - ->label('abuse-limit', 100) ->param('userId', '', new UID(), 'User unique ID.') ->param('sessionId', null, new UID(), 'User unique session ID.') ->inject('response') @@ -465,7 +464,6 @@ App::delete('/v1/users/:userId/sessions') ->label('sdk.response.code', Response::STATUS_CODE_NOCONTENT) ->label('sdk.response.type', Response::CONTENT_TYPE_JSON) ->label('sdk.response.model', Response::MODEL_NONE) - ->label('abuse-limit', 100) ->param('userId', '', new UID(), 'User unique ID.') ->inject('response') ->inject('projectDB') @@ -509,7 +507,6 @@ App::delete('/v1/users/:userId') ->label('sdk.response.code', Response::STATUS_CODE_NOCONTENT) ->label('sdk.response.type', Response::CONTENT_TYPE_JSON) ->label('sdk.response.model', Response::MODEL_NONE) - ->label('abuse-limit', 100) ->param('userId', '', function () {return new UID();}, 'User unique ID.') ->inject('response') ->inject('projectDB') diff --git a/app/controllers/shared/api.php b/app/controllers/shared/api.php index d64c46a2cd..4dc69b7850 100644 --- a/app/controllers/shared/api.php +++ b/app/controllers/shared/api.php @@ -1,5 +1,7 @@ check() && App::getEnv('_APP_OPTIONS_ABUSE', 'enabled') !== 'disabled') { + $isPreviliggedUser = Auth::isPreviliggedUser(Authorization::$roles); + $isAppUser = Auth::isAppUser(Authorization::$roles); + + if (($abuse->check() // Route is rate-limited + && App::getEnv('_APP_OPTIONS_ABUSE', 'enabled') !== 'disabled') // Abuse is not diabled + && (!$isAppUser && !$isPreviliggedUser)) // User is not an admin or API key + { throw new Exception('Too many requests', 429); } }, ['utopia', 'request', 'response', 'project', 'user', 'register'], 'api'); \ No newline at end of file diff --git a/tests/e2e/Services/Functions/FunctionsCustomServerTest.php b/tests/e2e/Services/Functions/FunctionsCustomServerTest.php index 21539ace52..377d728e11 100644 --- a/tests/e2e/Services/Functions/FunctionsCustomServerTest.php +++ b/tests/e2e/Services/Functions/FunctionsCustomServerTest.php @@ -455,6 +455,7 @@ class FunctionsCustomServerTest extends Scope public function testENVS():array { + sleep(120); /** * Test for SUCCESS */ @@ -591,7 +592,7 @@ class FunctionsCustomServerTest extends Scope $executionId = $execution['body']['$id'] ?? ''; $this->assertEquals(201, $execution['headers']['status-code']); - sleep(20); + sleep(30); $executions = $this->client->call(Client::METHOD_GET, '/functions/'.$functionId.'/executions', array_merge([ 'content-type' => 'application/json', @@ -601,6 +602,11 @@ class FunctionsCustomServerTest extends Scope if($executions['body']['executions'][0]['status'] !== 'completed') { var_dump($env); var_dump($executions['body']['executions'][0]); + $stdout = ''; + $stderr = ''; + Console::execute('docker logs appwrite-worker-functions', '', $stdout, $stderr); + var_dump($stdout); + var_dump($stderr); } $this->assertEquals($executions['headers']['status-code'], 200);