Skip to content

Fix WithUnauthenticatedLimiter and WithAccessDeniedLimiter rate limiters #61788

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: smallinsky/add_cache_get_method
Choose a base branch
from
Open

Fix WithUnauthenticatedLimiter and WithAccessDeniedLimiter rate limiters #61788

wants to merge 1 commit into from
+250 −10

Conversation

@smallinsky
Copy link
Contributor

@smallinsky smallinsky commented Nov 25, 2025
edited
Loading

What

Fix rate limiting logic in WithUnauthenticatedLimiter and WithAccessDeniedLimiter middleware to check rate limits before performing authentication or executing the handler.

Problem

Previously, these middleware functions would:

  1. Execute authentication checks (allow to guessing the token without rate limiting)
  2. Only apply rate limiting after the auth operations completed

Requires #61776

Address #61510

Contributes to #61511

@smallinsky smallinsky marked this pull request as ready for review November 25, 2025 19:11
@smallinsky smallinsky mentioned this pull request Nov 25, 2025
Open
juliaogris
juliaogris approved these changes Nov 25, 2025
View reviewed changes
Copy link
Contributor

@juliaogris juliaogris left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM with a few question.

Generic testing / compatibility question: For new test code should we favor synctest over clockwork.FakeClock?

lib/limiter/internal/ratelimit/tokenbucket.go
}

// IsRateLimited checks if consuming the specified number of tokens would be rate-limited
// without actually consuming any tokens. Returns true if rate-limited, false otherwise.
Copy link
Contributor

@juliaogris juliaogris Nov 25, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The comment says "consuming the specified number of tokens" but the method takes no parameters and always checks if there's at least 1 token available.

Maybe update to:

 // IsRateLimited checks if the bucket is currently rate-limited (no tokens available)
  // without actually consuming any tokens. Returns true if rate-limited, false otherwise.

lib/web/apiserver.go
}

func rateLimitRequest(r *http.Request, limiter *limiter.RateLimiter) error {
remote, _, err := net.SplitHostPort(r.RemoteAddr)
Copy link
Contributor

@juliaogris juliaogris Nov 25, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should this be updated to:

remote, err := getRemoteAddressFromRequest(r)

lib/web/apiserver.go
func isRequestRateLimited(r *http.Request, limiter *limiter.RateLimiter) bool {
remote, err := getRemoteAddressFromRequest(r)
if err != nil {
return false
Copy link
Contributor

@juliaogris juliaogris Nov 25, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Silently swallows error - does this deserve a comment?

conditionalLimiterFunc returns an error if getRemoteAddressFromRequest fails
unauthenticatedLimiterFunc does not, should they be consistent?

tcsc
tcsc reviewed Nov 26, 2025
View reviewed changes
lib/web/apiserver_test.go
callCount := 0
handle := h.WithUnauthenticatedLimiter(func(w http.ResponseWriter, r *http.Request, p httprouter.Params) (any, error) {
callCount++
return nil, trace.BadParameter("invalid request")
Copy link
Contributor

@tcsc tcsc Nov 26, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is there a specific reason for not returning 200 here?

I mean, is the specific status code important, other than

  1. being preserved by the WithUnauthenticatedLimiter adapter, and
  2. not being StatusBadRequest so you can tell when the rate limiter kicks in?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@r0mant r0mant r0mant approved these changes

@juliaogris juliaogris juliaogris approved these changes

@tcsc tcsc tcsc approved these changes

Assignees

No one assigned

Labels

size/md

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@smallinsky @r0mant @juliaogris @tcsc