fix: REST api v1 not enforcing rate limiter (RocketChat#36313)

pierre-lehnen-rc · web-flow · commit 1693663753cb · 2025-07-16T21:09:43.000Z
diff --git a/.changeset/proud-wolves-scream.md b/.changeset/proud-wolves-scream.md
@@ -0,0 +1,5 @@
+---
+'@rocket.chat/meteor': patch
+---
+
+Fixes rate limiter not being enforced for the v1 REST API
diff --git a/apps/meteor/app/api/server/ApiClass.ts b/apps/meteor/app/api/server/ApiClass.ts
@@ -525,7 +525,7 @@ export class APIClass<
 		invocation.twoFactorChecked = true;
 	}
 
-	protected getFullRouteName(route: string, method: string): string {
+	public getFullRouteName(route: string, method: string): string {
 		return `/${this.apiPath || ''}/${route}${method}`;
 	}
 
@@ -831,7 +831,7 @@ export class APIClass<
 
 						const objectForRateLimitMatch = {
 							IPAddr: this.requestIp,
-							route: `/${route}${this.request.method.toLowerCase()}`,
+							route: api.getFullRouteName(route, this.request.method.toLowerCase()),
 						};
 
 						let result;

-Original file line number
+Diff line change
@@ @@ -0,0 +1,5 @@ @@
 +---
 +'@rocket.chat/meteor': patch
 +---
++
 +Fixes rate limiter not being enforced for the v1 REST API
Original file line number	Diff line number	Diff line change
`@@ -525,7 +525,7 @@ export class APIClass<`
`525`	`525`	`invocation.twoFactorChecked = true;`
`526`	`526`	`}`
`527`	`527`
`528`		`- protected getFullRouteName(route: string, method: string): string {`
	`528`	`+ public getFullRouteName(route: string, method: string): string {`
`529`	`529`	return `/${this.apiPath \|\| ''}/${route}${method}`;
`530`	`530`	`}`
`531`	`531`
`@@ -831,7 +831,7 @@ export class APIClass<`
`831`	`831`
`832`	`832`	`const objectForRateLimitMatch = {`
`833`	`833`	`IPAddr: this.requestIp,`
`834`		- route: `/${route}${this.request.method.toLowerCase()}`,
	`834`	`+ route: api.getFullRouteName(route, this.request.method.toLowerCase()),`
`835`	`835`	`};`
`836`	`836`
`837`	`837`	`let result;`