Merge branch 'master' of https://github.com/appwrite/appwrite into feat-database-indexing

.github/workflows/tests.yml

@@ -28,7 +28,7 @@ jobs:
         docker pull php:8.0-cli-alpine
         docker compose build --progress=plain
         docker compose up -d
-        sleep 10
+        sleep 30
     - name: Doctor
       run: docker compose exec -T appwrite doctor
 

app/controllers/api/account.php

@@ -1740,7 +1740,7 @@ App::post('/v1/account/recovery')
     ->label('sdk.response.type', Response::CONTENT_TYPE_JSON)
     ->label('sdk.response.model', Response::MODEL_TOKEN)
     ->label('abuse-limit', 10)
-    ->label('abuse-key', 'url:{url},email:{param-email}')
+    ->label('abuse-key', ['url:{url},email:{param-email}', 'ip:{ip}'])
     ->param('email', '', new Email(), 'User email.')
     ->param('url', '', function ($clients) {return new Host($clients);}, 'URL to redirect the user back to your app from the recovery email. Only URLs from hostnames in your project platform list are allowed. This requirement helps to prevent an [open redirect](https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html) attack against your project API.', false, ['clients'])
     ->inject('request')

app/controllers/shared/api.php

@@ -38,41 +38,51 @@ App::init(function ($utopia, $request, $response, $project, $user, $events, $aud
     /*
      * Abuse Check
      */
-    $timeLimit = new TimeLimit($route->getLabel('abuse-key', 'url:{url},ip:{ip}'), $route->getLabel('abuse-limit', 0), $route->getLabel('abuse-time', 3600), $dbForProject);
-    $timeLimit
-        ->setParam('{userId}', $user->getId())
-        ->setParam('{userAgent}', $request->getUserAgent(''))
-        ->setParam('{ip}', $request->getIP())
-        ->setParam('{url}', $request->getHostname().$route->getPath())
-    ;
+    $abuseKeyLabel = $route->getLabel('abuse-key', 'url:{url},ip:{ip}');
+    $timeLimitArray = [];
 
-    // TODO make sure we get array here
+    $abuseKeyLabel = (!is_array($abuseKeyLabel)) ? [$abuseKeyLabel] : $abuseKeyLabel;
 
-    foreach ($request->getParams() as $key => $value) { // Set request params as potential abuse keys
-        if(!empty($value)) {
-            $timeLimit->setParam('{param-'.$key.'}', (\is_array($value)) ? \json_encode($value) : $value);
-        }
+    foreach ($abuseKeyLabel as $abuseKey) {
+        $timeLimit = new TimeLimit($abuseKey, $route->getLabel('abuse-limit', 0), $route->getLabel('abuse-time', 3600), $dbForProject);
+        $timeLimit
+            ->setParam('{userId}', $user->getId())
+            ->setParam('{userAgent}', $request->getUserAgent(''))
+            ->setParam('{ip}', $request->getIP())
+            ->setParam('{url}', $request->getHostname().$route->getPath());
+        $timeLimitArray[] = $timeLimit;
     }
 
-    $abuse = new Abuse($timeLimit);
-
-    if ($timeLimit->limit()) {
-        $response
-            ->addHeader('X-RateLimit-Limit', $timeLimit->limit())
-            ->addHeader('X-RateLimit-Remaining', $timeLimit->remaining())
-            ->addHeader('X-RateLimit-Reset', $timeLimit->time() + $route->getLabel('abuse-time', 3600))
-        ;
-    }
+    $closestLimit = null;
 
     $roles = Authorization::getRoles();
     $isPrivilegedUser = Auth::isPrivilegedUser($roles);
     $isAppUser = Auth::isAppUser($roles);
 
-    if (($abuse->check() // Route is rate-limited
+    foreach ($timeLimitArray as $timeLimit) {
+        foreach ($request->getParams() as $key => $value) { // Set request params as potential abuse keys
+            if(!empty($value)) {
+                $timeLimit->setParam('{param-'.$key.'}', (\is_array($value)) ? \json_encode($value) : $value);
+            }
+        }
+
+        $abuse = new Abuse($timeLimit);
+
+        if ($timeLimit->limit() && ($timeLimit->remaining() < $closestLimit || is_null($closestLimit))) {
+            $closestLimit = $timeLimit->remaining();
+            $response
+                ->addHeader('X-RateLimit-Limit', $timeLimit->limit())
+                ->addHeader('X-RateLimit-Remaining', $timeLimit->remaining())
+                ->addHeader('X-RateLimit-Reset', $timeLimit->time() + $route->getLabel('abuse-time', 3600))
+            ;
+        }
+
+        if (($abuse->check() // Route is rate-limited
         && App::getEnv('_APP_OPTIONS_ABUSE', 'enabled') !== 'disabled') // Abuse is not disabled
         && (!$isAppUser && !$isPrivilegedUser)) // User is not an admin or API key
         {
-        throw new Exception('Too many requests', 429);
+            throw new Exception('Too many requests', 429);
+        }
     }
 
     /*

app/tasks/sdks.php

@@ -217,7 +217,7 @@ THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
                         git fetch && \
                         git pull ' . $gitUrl . ' && \
                         rm -rf ' . $target . '/* && \
-                        cp -r ' . $result . '/ ' . $target . '/ && \
+                        cp -r ' . $result . '/* ' . $target . '/ && \
                         git add . && \
                         git commit -m "' . $message . '" && \
                         git push -u origin ' . $gitBranch . '
@@ -231,7 +231,7 @@ THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
 
                 $docDirectories = $language['docDirectories'] ?? [''];
 
-                if($version === 'latest') {
+                if ($version === 'latest') {
                     continue;
                 }