Skip to content

[SQSERVICES-1980] Guest Links Password Retry Limit #3202

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
battermann merged 3 commits into from
Apr 3, 2023
Merged

[SQSERVICES-1980] Guest Links Password Retry Limit #3202

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
af18bad
rate limit per ip for /conversations/join
battermann Mar 29, 2023
28233c0
changelog
battermann Mar 29, 2023
46b135c
Merge remote-tracking branch 'origin/develop' into SQSERVICES-1980-be…
battermann Mar 30, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions changelog.d/2-features/pr-3202
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
`conversations/join` endpoint rate limited per IP address
Copy link
Member

@jschaul jschaul Mar 29, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I suppose this introduces the conversations/join endpoint in the public API. The rate limit is secondary. Can you reformulate and move this to API changes subfolder?

2 changes: 1 addition & 1 deletion charts/nginz/templates/conf/_nginx.conf.tpl
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -259,7 +259,7 @@ http {
{{- if ($location.unlimited_requests_endpoint) }}
# Note that this endpoint has no rate limit per user for authenticated requests
{{- else }}
limit_req zone=reqs_per_user burst=20 nodelay;
limit_req zone=reqs_per_user burst=20 nodelay;
{{- end }}
{{- end }}

Expand Down
5 changes: 5 additions & 0 deletions charts/nginz/values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -444,6 +444,11 @@ nginx_conf:
- all
doc: true
oauth_scope: conversations_code
- path: /conversations/join
Copy link
Member

@jschaul jschaul Mar 29, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do I understand correctly that this is an authenticated-endpoint-only?

I don't have enough context here to actually approve this PR. The rate limit bit is fine; but this adds a new public endpoint which I don't know exactly how it works what it does and how product wise it's supposed to be used.

But the existing guest links use /conversations/code (not /join). So shouldn't this modify the existing API's rate limiting and not introduce this new endpoint? Do client teams switch over to this other endpoint? Where was this implemented to start with?

Copy link
Contributor Author

@battermann battermann Mar 30, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do I understand correctly that this is an authenticated-endpoint-only?

I don't have enough context here to actually approve this PR. The rate limit bit is fine; but this adds a new public endpoint which I don't know exactly how it works what it does and how product wise it's supposed to be used.

But the existing guest links use /conversations/code (not /join). So shouldn't this modify the existing API's rate limiting and not introduce this new endpoint? Do client teams switch over to this other endpoint? Where was this implemented to start with?

This PR does not introduce a new endpoint. It was already there before and did match the following directive:

    - path: /conversations
      envs:
      - all

I just created a new entry, so that the configuration is only applied to the path /conversations/join.

Copy link
Member

@jschaul jschaul Apr 3, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah I see. Okay. That's fine. Thanks for the context.

envs:
- all
specific_user_rate_limit: reqs_per_addr
specific_user_rate_limit_burst: "10"
- path: /conversations
envs:
- all
Expand Down