From c404cdfd6e6fad9c99ed10ecbe908465ab1cad2f Mon Sep 17 00:00:00 2001
From: Mathieu Velten <mathieu.velten@beta.gouv.fr>
Date: Thu, 4 Dec 2025 10:53:42 +0100
Subject: [PATCH] Add rate limit conf to user directory endpoint

---
 changelog.d/19291.misc                        |  1 +
 .../configuration/config_documentation.md     | 19 +++++++++++++++++++
 schema/synapse-config.schema.yaml             | 10 ++++++++++
 synapse/config/ratelimiting.py                |  6 ++++++
 synapse/rest/client/user_directory.py         |  9 +++++++++
 5 files changed, 45 insertions(+)
 create mode 100644 changelog.d/19291.misc

diff --git a/changelog.d/19291.misc b/changelog.d/19291.misc
new file mode 100644
index 00000000000..bac12b85065
--- /dev/null
+++ b/changelog.d/19291.misc
@@ -0,0 +1 @@
+Add a config to be able to rate limit search in the user directory.
diff --git a/docs/usage/configuration/config_documentation.md b/docs/usage/configuration/config_documentation.md
index 7509e4d715e..c11dae58da5 100644
--- a/docs/usage/configuration/config_documentation.md
+++ b/docs/usage/configuration/config_documentation.md
@@ -2041,6 +2041,25 @@ rc_room_creation:
   burst_count: 5.0
 ```
 ---
+### `rc_user_directory`
+
+*(object)* This option allows admins to ratelimit searches in the user directory.
+
+_Added in Synapse 1.145.0._
+
+This setting has the following sub-options:
+
+* `per_second` (number): Maximum number of requests a client can send per second.
+
+* `burst_count` (number): Maximum number of requests a client can send before being throttled.
+
+Default configuration:
+```yaml
+rc_user_directory:
+  per_second: 0.016
+  burst_count: 50.0
+```
+---
 ### `federation_rr_transactions_per_room_per_second`
 
 *(integer)* Sets outgoing federation transaction frequency for sending read-receipts, per-room.
diff --git a/schema/synapse-config.schema.yaml b/schema/synapse-config.schema.yaml
index bf9346995da..d281478b89a 100644
--- a/schema/synapse-config.schema.yaml
+++ b/schema/synapse-config.schema.yaml
@@ -2274,6 +2274,16 @@ properties:
     examples:
       - per_second: 1.0
         burst_count: 5.0
+  rc_user_directory:
+    $ref: "#/$defs/rc"
+    description: >-
+      This option allows admins to ratelimit searches in the user directory.
+
+
+      _Added in Synapse 1.145.0._
+    default:
+      per_second: 0.016
+      burst_count: 50.0
   federation_rr_transactions_per_room_per_second:
     type: integer
     description: >-
diff --git a/synapse/config/ratelimiting.py b/synapse/config/ratelimiting.py
index 78d9d61d3c6..128c9b3e994 100644
--- a/synapse/config/ratelimiting.py
+++ b/synapse/config/ratelimiting.py
@@ -252,3 +252,9 @@ def read_config(self, config: JsonDict, **kwargs: Any) -> None:
             "rc_reports",
             defaults={"per_second": 1, "burst_count": 5},
         )
+
+        self.rc_user_directory = RatelimitSettings.parse(
+            config,
+            "rc_user_directory",
+            defaults={"per_second": 0.016, "burst_count": 50},
+        )
diff --git a/synapse/rest/client/user_directory.py b/synapse/rest/client/user_directory.py
index 0f561c2e615..fa1342d0bfd 100644
--- a/synapse/rest/client/user_directory.py
+++ b/synapse/rest/client/user_directory.py
@@ -23,6 +23,7 @@
 from typing import TYPE_CHECKING
 
 from synapse.api.errors import SynapseError
+from synapse.api.ratelimiting import Ratelimiter
 from synapse.http.server import HttpServer
 from synapse.http.servlet import RestServlet, parse_json_object_from_request
 from synapse.http.site import SynapseRequest
@@ -46,6 +47,12 @@ def __init__(self, hs: "HomeServer"):
         self.auth = hs.get_auth()
         self.user_directory_handler = hs.get_user_directory_handler()
 
+        self._per_user_limiter = Ratelimiter(
+            store=hs.get_datastores().main,
+            clock=hs.get_clock(),
+            cfg=hs.config.ratelimiting.rc_user_directory,
+        )
+
     async def on_POST(self, request: SynapseRequest) -> tuple[int, JsonMapping]:
         """Searches for users in directory
 
@@ -69,6 +76,8 @@ async def on_POST(self, request: SynapseRequest) -> tuple[int, JsonMapping]:
         if not self.hs.config.userdirectory.user_directory_search_enabled:
             return 200, {"limited": False, "results": []}
 
+        await self._per_user_limiter.ratelimit(requester)
+
         body = parse_json_object_from_request(request)
 
         limit = int(body.get("limit", 10))