From ea475f8d567b747116b1111df4bb35b09bd54818 Mon Sep 17 00:00:00 2001
From: David Bomba <turbo124@gmail.com>
Date: Thu, 9 Mar 2023 13:38:09 +1100
Subject: [PATCH] Explicitly define throttle limits for self host and hosted

---
 app/Providers/RouteServiceProvider.php | 37 +++++++++++++++++++++++++-
 routes/api.php                         |  8 +++---
 2 files changed, 40 insertions(+), 5 deletions(-)

diff --git a/app/Providers/RouteServiceProvider.php b/app/Providers/RouteServiceProvider.php
index e476a7943ecb..df98964e769d 100644
--- a/app/Providers/RouteServiceProvider.php
+++ b/app/Providers/RouteServiceProvider.php
@@ -11,16 +11,20 @@
 
 namespace App\Providers;
 
+use App\Utils\Ninja;
 use App\Models\Scheduler;
 use App\Utils\Traits\MakesHash;
+use Illuminate\Support\Facades\Route;
+use Illuminate\Cache\RateLimiting\Limit;
+use Illuminate\Support\Facades\RateLimiter;
 use Illuminate\Database\Eloquent\ModelNotFoundException as ModelNotFoundException;
 use Illuminate\Foundation\Support\Providers\RouteServiceProvider as ServiceProvider;
-use Illuminate\Support\Facades\Route;
 
 class RouteServiceProvider extends ServiceProvider
 {
     use MakesHash;
 
+    private int $default_rate_limit = 1000;
     /**
      * Define your route model bindings, pattern filters, etc.
      *
@@ -40,6 +44,37 @@ class RouteServiceProvider extends ServiceProvider
                 ->company()
                 ->where('id', $this->decodePrimaryKey($value))->firstOrFail();
         });
+
+        RateLimiter::for('login', function () {
+
+            if(Ninja::isSelfHost())
+                return Limit::perMinute($this->default_rate_limit);
+            else {
+                return Limit::perMinute(50);
+            }
+
+        });
+
+        RateLimiter::for('api', function () {
+
+            if(Ninja::isSelfHost())
+                return Limit::perMinute($this->default_rate_limit);
+            else {
+                return Limit::perMinute(300);
+            }
+
+        });
+
+        RateLimiter::for('refresh', function () {
+
+            if(Ninja::isSelfHost())
+                return Limit::perMinute($this->default_rate_limit);
+            else {
+                return Limit::perMinute(200);
+            }
+
+        });
+
     }
 
     /**
diff --git a/routes/api.php b/routes/api.php
index 7b2809a7a472..bad108e4ba41 100644
--- a/routes/api.php
+++ b/routes/api.php
@@ -98,17 +98,17 @@ use App\Http\Controllers\WebCronController;
 use App\Http\Controllers\WebhookController;
 use Illuminate\Support\Facades\Route;
 
-Route::group(['middleware' => ['throttle:300,1', 'api_secret_check']], function () {
+Route::group(['middleware' => ['throttle:api', 'api_secret_check']], function () {
     Route::post('api/v1/signup', [AccountController::class, 'store'])->name('signup.submit');
     Route::post('api/v1/oauth_login', [LoginController::class, 'oauthApiLogin']);
 });
 
-Route::group(['middleware' => ['throttle:50,1','api_secret_check','email_db']], function () {
+Route::group(['middleware' => ['throttle:login','api_secret_check','email_db']], function () {
     Route::post('api/v1/login', [LoginController::class, 'apiLogin'])->name('login.submit')->middleware('throttle:20,1');
     Route::post('api/v1/reset_password', [ForgotPasswordController::class, 'sendResetLinkEmail']);
 });
 
-Route::group(['middleware' => ['throttle:300,1', 'api_db', 'token_auth', 'locale'], 'prefix' => 'api/v1', 'as' => 'api.'], function () {
+Route::group(['middleware' => ['throttle:api', 'api_db', 'token_auth', 'locale'], 'prefix' => 'api/v1', 'as' => 'api.'], function () {
     Route::put('accounts/{account}', [AccountController::class, 'update'])->name('account.update');
     Route::resource('bank_integrations', BankIntegrationController::class); // name = (clients. index / create / show / update / destroy / edit
     Route::post('bank_integrations/refresh_accounts', [BankIntegrationController::class, 'refreshAccounts'])->name('bank_integrations.refresh_accounts')->middleware('throttle:30,1');
@@ -265,7 +265,7 @@ Route::group(['middleware' => ['throttle:300,1', 'api_db', 'token_auth', 'locale
     Route::post('recurring_quotes/bulk', [RecurringQuoteController::class, 'bulk'])->name('recurring_quotes.bulk');
     Route::put('recurring_quotes/{recurring_quote}/upload', [RecurringQuoteController::class, 'upload']);
 
-    Route::post('refresh', [LoginController::class, 'refresh'])->middleware('throttle:300,2');
+    Route::post('refresh', [LoginController::class, 'refresh'])->middleware('throttle:refresh');
 
     Route::post('reports/clients', ClientReportController::class);
     Route::post('reports/contacts', ClientContactReportController::class);