From 6ae4876fe9c736d80929f9c86e4debbac28c1cae Mon Sep 17 00:00:00 2001
From: Joas Schilling <coding@schilljs.com>
Date: Thu, 11 May 2023 09:23:50 +0200
Subject: [PATCH] fix(middleware): Also abort the request when reaching max
 delay in afterController

Signed-off-by: Joas Schilling <coding@schilljs.com>
---
 .../Middleware/Security/BruteForceMiddleware.php       | 10 +++++++++-
 .../Middleware/Security/BruteForceMiddlewareTest.php   |  6 +++---
 2 files changed, 12 insertions(+), 4 deletions(-)

diff --git a/lib/private/AppFramework/Middleware/Security/BruteForceMiddleware.php b/lib/private/AppFramework/Middleware/Security/BruteForceMiddleware.php
index 31a4791845e..b1f0edfd14e 100644
--- a/lib/private/AppFramework/Middleware/Security/BruteForceMiddleware.php
+++ b/lib/private/AppFramework/Middleware/Security/BruteForceMiddleware.php
@@ -87,8 +87,16 @@ class BruteForceMiddleware extends Middleware {
 		if ($this->reflector->hasAnnotation('BruteForceProtection') && $response->isThrottled()) {
 			$action = $this->reflector->getAnnotationParameter('BruteForceProtection', 'action');
 			$ip = $this->request->getRemoteAddress();
-			$this->throttler->sleepDelay($ip, $action);
 			$this->throttler->registerAttempt($action, $ip, $response->getThrottleMetadata());
+			try {
+				$this->throttler->sleepDelayOrThrowOnMax($ip, $action);
+			} catch (MaxDelayReached $e) {
+				if ($controller instanceof OCSController) {
+					throw new OCSException($e->getMessage(), Http::STATUS_TOO_MANY_REQUESTS);
+				}
+
+				return new TooManyRequestsResponse();
+			}
 		}
 
 		return parent::afterController($controller, $methodName, $response);
diff --git a/tests/lib/AppFramework/Middleware/Security/BruteForceMiddlewareTest.php b/tests/lib/AppFramework/Middleware/Security/BruteForceMiddlewareTest.php
index 786bac6d856..fc6379b07d5 100644
--- a/tests/lib/AppFramework/Middleware/Security/BruteForceMiddlewareTest.php
+++ b/tests/lib/AppFramework/Middleware/Security/BruteForceMiddlewareTest.php
@@ -126,7 +126,7 @@ class BruteForceMiddlewareTest extends TestCase {
 			->willReturn('127.0.0.1');
 		$this->throttler
 			->expects($this->once())
-			->method('sleepDelay')
+			->method('sleepDelayOrThrowOnMax')
 			->with('127.0.0.1', 'login');
 		$this->throttler
 			->expects($this->once())
@@ -158,7 +158,7 @@ class BruteForceMiddlewareTest extends TestCase {
 			->method('getRemoteAddress');
 		$this->throttler
 			->expects($this->never())
-			->method('sleepDelay');
+			->method('sleepDelayOrThrowOnMax');
 		$this->throttler
 			->expects($this->never())
 			->method('registerAttempt');
@@ -182,7 +182,7 @@ class BruteForceMiddlewareTest extends TestCase {
 			->method('getRemoteAddress');
 		$this->throttler
 			->expects($this->never())
-			->method('sleepDelay');
+			->method('sleepDelayOrThrowOnMax');
 
 		/** @var Controller|\PHPUnit\Framework\MockObject\MockObject $controller */
 		$controller = $this->createMock(Controller::class);