[Bug]: UserRateThrottle to stringent for profile updates

[TriggerHorizon]

⚠️ This issue respects the following points: ⚠️

• This is a bug, not a question or a configuration/webserver/proxy issue.
• This issue is not already reported on Github OR Nextcloud Community Forum (I've searched it).
• Nextcloud Server is up to date. See Maintenance and Release Schedule for supported versions.
• I agree to follow Nextcloud's Code of Conduct.

Bug description

Our users are actively creating and updating their profiles. The @UserRateThrottle(limit=50, period=600) in
apps/provisioning_api/lib/Controller/UsersController.php for function editUser appears to be to stringent while editing "about".

The about field is saved "continously" as you are creating the content and if creating a new profile you can quite easily surpass 50 calls in 10 minutes. This lead to our users receiving error message "Unable to update about. There were too many requests from your network ..." and then they can no longer work on their profile until the period has expired.

Would suggest increasing the default limit or making this a configurable parameter.

Steps to reproduce

1. Create new user
2. Update profile including the about ... enter information slowly in the about field such that data is stored "continuosly"
3. Get locked out of updating profile after 50 api calls until period has expired.

Expected behavior

Would expect that you could fully create your profile including the about section, which you might spend some time on, without receiving error messages and getting throttled.

Installation method

Community Docker image

Nextcloud Server version

27

Operating system

None

PHP engine version

None

Web server

None

Database engine version

PostgreSQL

Is this bug present after an update or on a fresh install?

Upgraded to a MAJOR version (ex. 22 to 23)

Are you using the Nextcloud Server Encryption module?

Encryption is Disabled

What user-backends are you using?

• Default user-backend (database)
• LDAP/ Active Directory
• SSO - SAML
• Other

Configuration report

{
    "system": {
        "htaccess.RewriteBase": "\/",
        "memcache.local": "\\OC\\Memcache\\APCu",
        "apps_paths": [
            {
                "path": "\/var\/www\/html\/apps",
                "url": "\/apps",
                "writable": false
            },
            {
                "path": "\/var\/www\/html\/custom_apps",
                "url": "\/custom_apps",
                "writable": true
            }
        ],
        "filelocking.enabled": true,
        "memcache.distributed": "\\OC\\Memcache\\Redis",
        "memcache.locking": "\\OC\\Memcache\\Redis",
        "redis": {
            "host": "***REMOVED SENSITIVE VALUE***",
            "password": "***REMOVED SENSITIVE VALUE***",
            "port": 6379
        },
        "overwritehost": "***REMOVED SENSITIVE VALUE***",
        "overwriteprotocol": "https",
        "trusted_proxies": "***REMOVED SENSITIVE VALUE***",
        "passwordsalt": "***REMOVED SENSITIVE VALUE***",
        "secret": "***REMOVED SENSITIVE VALUE***",
        "trusted_domains": [
            "localhost",
            "***REMOVED SENSITIVE VALUE***"
        ],
        "datadirectory": "***REMOVED SENSITIVE VALUE***",
        "dbtype": "pgsql",
        "version": "27.0.1.2",
        "overwrite.cli.url": "https:\/\/***REMOVED SENSITIVE VALUE***",
        "dbname": "***REMOVED SENSITIVE VALUE***",
        "dbhost": "***REMOVED SENSITIVE VALUE***",
        "dbport": "",
        "dbtableprefix": "oc_",
        "dbuser": "***REMOVED SENSITIVE VALUE***",
        "dbpassword": "***REMOVED SENSITIVE VALUE***",
        "installed": true,
        "instanceid": "***REMOVED SENSITIVE VALUE***",
        "skeletondirectory": "",
        "default_phone_region": "NO",
        "maintenance": false,
        "mail_smtpmode": "smtp",
        "mail_smtpsecure": "ssl",
        "mail_sendmailmode": "smtp",
        "mail_from_address": "***REMOVED SENSITIVE VALUE***",
        "mail_domain": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpauthtype": "LOGIN",
        "mail_smtpauth": 1,
        "mail_smtphost": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpport": "465",
        "mail_smtpname": "***REMOVED SENSITIVE VALUE***",
        "mail_smtppassword": "***REMOVED SENSITIVE VALUE***",
        "loglevel": 2,
        "updater.secret": "***REMOVED SENSITIVE VALUE***",
        "debug": false
    }
}

List of activated Apps

No response

Nextcloud Signing status

No response

Nextcloud Logs

No response

Additional info

No response

[kesselb]

cc @Pytal @nickvergessen

[kesselb]

Indeed, the user rate limit but also the debounce timeout for the profile fields is very low.

[nickvergessen]

Then I'd suggest to start with increasing the debounce. The endpoint is used for lot of other details as well and increasing the rate limit is not really planned.

[Pytal]

Increased in #39825

500ms seems pretty standard but increasing to 1s here seems fine