From b78715f353c7af669c34c79aa69c8e7c5cfb5bc3 Mon Sep 17 00:00:00 2001
From: Bradley Schofield <ionicisere@gmail.com>
Date: Tue, 9 Nov 2021 14:07:10 +0000
Subject: [PATCH] Update api.php

---
 app/controllers/shared/api.php | 29 ++++++++++++-----------------
 1 file changed, 12 insertions(+), 17 deletions(-)

diff --git a/app/controllers/shared/api.php b/app/controllers/shared/api.php
index d219083363..53e0a60741 100644
--- a/app/controllers/shared/api.php
+++ b/app/controllers/shared/api.php
@@ -39,32 +39,26 @@ App::init(function ($utopia, $request, $response, $project, $user, $register, $e
      */
     $abuseKeyLabel = $route->getLabel('abuse-key', 'url:{url},ip:{ip}');
     $timeLimitArray = [];
-    if (is_array($abuseKeyLabel)) {
-        for ($i = 0; $i < count($abuseKeyLabel); $i++)  {
-            $timeLimit = new TimeLimit($abuseKeyLabel[$i], $route->getLabel('abuse-limit', 0), $route->getLabel('abuse-time', 3600), $db);
-            $timeLimit->setNamespace('app_'.$project->getId());
-            $timeLimit
-                ->setParam('{userId}', $user->getId())
-                ->setParam('{userAgent}', $request->getUserAgent(''))
-                ->setParam('{ip}', $request->getIP())
-                ->setParam('{url}', $request->getHostname().$route->getPath())
-            ;
-            $timeLimitArray[] = $timeLimit;
-        }
-    } else {
-        $timeLimit = new TimeLimit($abuseKeyLabel, $route->getLabel('abuse-limit', 0), $route->getLabel('abuse-time', 3600), $db);
+
+    if (!is_array($abuseKeyLabel)) {
+        $abuseKeyLabel = [$abuseKeyLabel];
+    }
+
+    foreach ($abuseKeyLabel as $abuseKey) {
+        $timeLimit = new TimeLimit($abuseKey, $route->getLabel('abuse-limit', 0), $route->getLabel('abuse-time', 3600), $db);
         $timeLimit->setNamespace('app_'.$project->getId());
         $timeLimit
             ->setParam('{userId}', $user->getId())
             ->setParam('{userAgent}', $request->getUserAgent(''))
             ->setParam('{ip}', $request->getIP())
-            ->setParam('{url}', $request->getHostname().$route->getPath())
-        ;
+            ->setParam('{url}', $request->getHostname().$route->getPath());
         $timeLimitArray[] = $timeLimit;
     }
 
     //TODO make sure we get array here
 
+    $closestLimit = 999;
+
     foreach ($timeLimitArray as $timeLimit) {
         foreach ($request->getParams() as $key => $value) { // Set request params as potential abuse keys
             if(!empty($value)) {
@@ -74,7 +68,8 @@ App::init(function ($utopia, $request, $response, $project, $user, $register, $e
 
         $abuse = new Abuse($timeLimit);
 
-        if ($timeLimit->limit()) {
+        if ($timeLimit->limit() && $timeLimit->remaining() < $closestLimit) {
+            $closestLimit = $timeLimit->remaining();
             $response
                 ->addHeader('X-RateLimit-Limit', $timeLimit->limit())
                 ->addHeader('X-RateLimit-Remaining', $timeLimit->remaining())