Make RateLimiter class check for ratelimit overrides (#9711)

This should fix a class of bug where we forget to check if e.g. the appservice shouldn't be ratelimited. We also check the `ratelimit_override` table to check if the user has ratelimiting disabled. That table is really only meant to override the event sender ratelimiting, so we don't use any values from it (as they might not make sense for different rate limits), but we do infer that if ratelimiting is disabled for the user we should disabled all ratelimits. Fixes #9663
2025-05-03 04:04:54 -04:00 · 2021-03-30 12:06:09 +01:00 · 2021-03-30 12:06:09 +01:00 · 963f4309fe
commit 963f4309fe
parent 3a446c21f8
16 changed files with 241 additions and 154 deletions
--- a/synapse/handlers/identity.py
+++ b/synapse/handlers/identity.py
@ -61,17 +61,19 @@ class IdentityHandler(BaseHandler):

        # Ratelimiters for `/requestToken` endpoints.
        self._3pid_validation_ratelimiter_ip = Ratelimiter(
+            store=self.store,
            clock=hs.get_clock(),
            rate_hz=hs.config.ratelimiting.rc_3pid_validation.per_second,
            burst_count=hs.config.ratelimiting.rc_3pid_validation.burst_count,
        )
        self._3pid_validation_ratelimiter_address = Ratelimiter(
+            store=self.store,
            clock=hs.get_clock(),
            rate_hz=hs.config.ratelimiting.rc_3pid_validation.per_second,
            burst_count=hs.config.ratelimiting.rc_3pid_validation.burst_count,
        )

-    def ratelimit_request_token_requests(
+    async def ratelimit_request_token_requests(
        self,
        request: SynapseRequest,
        medium: str,
@ -85,8 +87,12 @@ class IdentityHandler(BaseHandler):
            address: The actual threepid ID, e.g. the phone number or email address
        """

-        self._3pid_validation_ratelimiter_ip.ratelimit((medium, request.getClientIP()))
-        self._3pid_validation_ratelimiter_address.ratelimit((medium, address))
+        await self._3pid_validation_ratelimiter_ip.ratelimit(
+            None, (medium, request.getClientIP())
+        )
+        await self._3pid_validation_ratelimiter_address.ratelimit(
+            None, (medium, address)
+        )

    async def threepid_from_creds(
        self, id_server: str, creds: Dict[str, str]