Merge pull request #46446 from nextcloud/update-app-api-rate-limit-key

use "app_api" session key in rate limit middleware, "app_api_system" is deprecated

lib/private/AppFramework/Middleware/Security/RateLimitingMiddleware.php

@@ -11,6 +11,7 @@
 use OC\AppFramework\Utility\ControllerMethodReflector;
 use OC\Security\RateLimiting\Exception\RateLimitExceededException;
 use OC\Security\RateLimiting\Limiter;
+use OC\User\Session;
 use OCP\AppFramework\Controller;
 use OCP\AppFramework\Http\Attribute\AnonRateLimit;
 use OCP\AppFramework\Http\Attribute\ARateLimit;
@@ -63,8 +64,8 @@ public function beforeController(Controller $controller, string $methodName): vo
 		parent::beforeController($controller, $methodName);
 		$rateLimitIdentifier = get_class($controller) . '::' . $methodName;
 
-		if ($this->session->exists('app_api_system')) {
-			// Bypass rate limiting for app_api
+		if ($this->userSession instanceof Session && $this->userSession->getSession()->get('app_api') === true && $this->userSession->getUser() === null) {
+			// if userId is not specified and the request is authenticated by AppAPI, we skip the rate limit
 			return;
 		}