Add rate limit conf to user directory endpoint

Author: MatMaul

changelog.d/19291.misc

@@ -0,0 +1 @@
+Add a config to be able to rate limit search in the user directory.

docs/usage/configuration/config_documentation.md

@@ -2041,6 +2041,25 @@ rc_room_creation:
   burst_count: 5.0
 ```
 ---
+### `rc_user_directory`
+
+*(object)* This option allows admins to ratelimit searches in the user directory.
+
+_Added in Synapse 1.145.0._
+
+This setting has the following sub-options:
+
+* `per_second` (number): Maximum number of requests a client can send per second.
+
+* `burst_count` (number): Maximum number of requests a client can send before being throttled.
+
+Default configuration:
+```yaml
+rc_user_directory:
+  per_second: 0.016
+  burst_count: 50.0
+```
+---
 ### `federation_rr_transactions_per_room_per_second`
 
 *(integer)* Sets outgoing federation transaction frequency for sending read-receipts, per-room.

schema/synapse-config.schema.yaml

@@ -2274,6 +2274,13 @@ properties:
     examples:
       - per_second: 1.0
         burst_count: 5.0
+  rc_user_directory:
+    $ref: "#/$defs/rc"
+    description: >-
+      This option allows admins to ratelimit searches in the user directory.
+    default:
+      per_second: 0.016
+      burst_count: 10.0
   federation_rr_transactions_per_room_per_second:
     type: integer
     description: >-

synapse/config/ratelimiting.py

@@ -252,3 +252,9 @@ def read_config(self, config: JsonDict, **kwargs: Any) -> None:
             "rc_reports",
             defaults={"per_second": 1, "burst_count": 5},
         )
+
+        self.rc_user_directory = RatelimitSettings.parse(
+            config,
+            "rc_user_directory",
+            defaults={"per_second": 0.016, "burst_count": 50},
+        )

synapse/rest/client/user_directory.py

@@ -23,6 +23,7 @@
 from typing import TYPE_CHECKING
 
 from synapse.api.errors import SynapseError
+from synapse.api.ratelimiting import Ratelimiter
 from synapse.http.server import HttpServer
 from synapse.http.servlet import RestServlet, parse_json_object_from_request
 from synapse.http.site import SynapseRequest
@@ -46,6 +47,12 @@ def __init__(self, hs: "HomeServer"):
         self.auth = hs.get_auth()
         self.user_directory_handler = hs.get_user_directory_handler()
 
+        self._per_user_limiter = Ratelimiter(
+            store=hs.get_datastores().main,
+            clock=hs.get_clock(),
+            cfg=hs.config.ratelimiting.rc_user_directory,
+        )
+
     async def on_POST(self, request: SynapseRequest) -> tuple[int, JsonMapping]:
         """Searches for users in directory
 
@@ -69,6 +76,8 @@ async def on_POST(self, request: SynapseRequest) -> tuple[int, JsonMapping]:
         if not self.hs.config.userdirectory.user_directory_search_enabled:
             return 200, {"limited": False, "results": []}
 
+        await self._per_user_limiter.ratelimit(requester)
+
         body = parse_json_object_from_request(request)
 
         limit = int(body.get("limit", 10))