Skip to content

feat: separate web3 rate limits from other /token?grant_type=...#1985

Merged
hf merged 1 commit into
masterfrom
hf/separate-web3-rate-limits-from-other-token
Apr 10, 2025
Merged

feat: separate web3 rate limits from other /token?grant_type=...#1985
hf merged 1 commit into
masterfrom
hf/separate-web3-rate-limits-from-other-token

Conversation

@hf

@hf hf commented Apr 10, 2025

Copy link
Copy Markdown
Contributor

Sign in with Web3 can be very prone to abuse. This is because all it takes for the /token?grant_type=web3 endpoint to be abused is the generation of signed messages by a private key.

For this reason a new rate limit config is provided GOTRUE_RATE_LIMIT_WEB3 which limits the number of such calls per IP address.

To achieve this, the rate limit enforcement on the /token API is moved inside in the Token handler. This provides a future basis for separating out the rate limiters for Sign in with Password and ID token, as well as rate limiters for PKCE.

@hf hf requested a review from a team as a code owner April 10, 2025 14:12
@hf hf force-pushed the hf/separate-web3-rate-limits-from-other-token branch from 05c2332 to 1e49b3d Compare April 10, 2025 14:20
@coveralls

coveralls commented Apr 10, 2025

Copy link
Copy Markdown

Pull Request Test Coverage Report for Build 14383837120

Details

  • 39 of 50 (78.0%) changed or added relevant lines in 5 files are covered.
  • 3 unchanged lines in 2 files lost coverage.
  • Overall coverage decreased (-0.002%) to 68.089%

Changes Missing Coverage Covered Lines Changed/Added Lines %
internal/api/token.go 11 12 91.67%
internal/api/middleware.go 18 28 64.29%
Files with Coverage Reduction New Missed Lines %
internal/api/middleware.go 1 83.21%
internal/api/token.go 2 70.6%
Totals Coverage Status
Change from base Build 14239048510: -0.002%
Covered Lines: 10532
Relevant Lines: 15468

💛 - Coveralls

@hf hf force-pushed the hf/separate-web3-rate-limits-from-other-token branch from 1e49b3d to df5cfa4 Compare April 10, 2025 14:42
Comment thread internal/api/middleware.go Outdated
Comment thread internal/api/token_test.go
@hf hf force-pushed the hf/separate-web3-rate-limits-from-other-token branch 2 times, most recently from 554ec11 to 89f82ee Compare April 10, 2025 14:58
@hf hf force-pushed the hf/separate-web3-rate-limits-from-other-token branch from 89f82ee to 1c9b08a Compare April 10, 2025 15:04
@kangmingtay

Copy link
Copy Markdown
Member

rerun dogfooding ci

@hf hf merged commit 8b23382 into master Apr 10, 2025
@hf hf deleted the hf/separate-web3-rate-limits-from-other-token branch April 10, 2025 15:57
hf pushed a commit that referenced this pull request Apr 15, 2025
🤖 I have created a release *beep* *boop*
---


##
[2.171.0](v2.170.0...v2.171.0)
(2025-04-14)


### Features

* add sign in with solana (EIP-4361) support
([#1918](#1918))
([d121546](d121546))
* allow invalid config directories
([#1969](#1969))
([6b842f6](6b842f6))
* allow limiting lifespan of low-aal sessions
([#1942](#1942))
([d7a9ca6](d7a9ca6))
* Block specific outgoing mail servers
([#1971](#1971))
([091aef9](091aef9))
* refactor hooks out of api package
([#1976](#1976))
([c5904c0](c5904c0))
* separate web3 rate limits from other `/token?grant_type=...`
([#1985](#1985))
([8b23382](8b23382))


### Bug Fixes

* explicit permisions on actions
([#1978](#1978))
([06e9ead](06e9ead))
* propagate error when when confirming phone
([#1939](#1939))
([e882b42](e882b42))
* redirects must not be to ip addresses
([#1984](#1984))
([347e23a](347e23a))
* sanitize redirect URL (remove fragment, query) before pattern matching
([#1974](#1974))
([ccf20d7](ccf20d7))

---
This PR was generated with [Release
Please](https://github.com/googleapis/release-please). See
[documentation](https://github.com/googleapis/release-please#release-please).

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
wdoppenberg pushed a commit to wdoppenberg/supabase-auth that referenced this pull request Jun 5, 2025
…upabase#1985)

Sign in with Web3 can be very prone to abuse. This is because all it
takes for the `/token?grant_type=web3` endpoint to be abused is the
generation of signed messages by a private key.

For this reason a new rate limit config is provided
`GOTRUE_RATE_LIMIT_WEB3` which limits the number of such calls per IP
address.

To achieve this, the rate limit enforcement on the `/token` API is moved
inside in the `Token` handler. This provides a future basis for
separating out the rate limiters for Sign in with Password and ID token,
as well as rate limiters for PKCE.
wdoppenberg pushed a commit to wdoppenberg/supabase-auth that referenced this pull request Jun 5, 2025
🤖 I have created a release *beep* *boop*
---


##
[2.171.0](supabase/auth@v2.170.0...v2.171.0)
(2025-04-14)


### Features

* add sign in with solana (EIP-4361) support
([supabase#1918](supabase#1918))
([d121546](supabase@d121546))
* allow invalid config directories
([supabase#1969](supabase#1969))
([6b842f6](supabase@6b842f6))
* allow limiting lifespan of low-aal sessions
([supabase#1942](supabase#1942))
([d7a9ca6](supabase@d7a9ca6))
* Block specific outgoing mail servers
([supabase#1971](supabase#1971))
([091aef9](supabase@091aef9))
* refactor hooks out of api package
([supabase#1976](supabase#1976))
([c5904c0](supabase@c5904c0))
* separate web3 rate limits from other `/token?grant_type=...`
([supabase#1985](supabase#1985))
([8b23382](supabase@8b23382))


### Bug Fixes

* explicit permisions on actions
([supabase#1978](supabase#1978))
([06e9ead](supabase@06e9ead))
* propagate error when when confirming phone
([supabase#1939](supabase#1939))
([e882b42](supabase@e882b42))
* redirects must not be to ip addresses
([supabase#1984](supabase#1984))
([347e23a](supabase@347e23a))
* sanitize redirect URL (remove fragment, query) before pattern matching
([supabase#1974](supabase#1974))
([ccf20d7](supabase@ccf20d7))

---
This PR was generated with [Release
Please](https://github.com/googleapis/release-please). See
[documentation](https://github.com/googleapis/release-please#release-please).

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
cemalkilic pushed a commit that referenced this pull request Aug 7, 2025
…1985)

Sign in with Web3 can be very prone to abuse. This is because all it
takes for the `/token?grant_type=web3` endpoint to be abused is the
generation of signed messages by a private key.

For this reason a new rate limit config is provided
`GOTRUE_RATE_LIMIT_WEB3` which limits the number of such calls per IP
address.

To achieve this, the rate limit enforcement on the `/token` API is moved
inside in the `Token` handler. This provides a future basis for
separating out the rate limiters for Sign in with Password and ID token,
as well as rate limiters for PKCE.
cemalkilic pushed a commit that referenced this pull request Aug 7, 2025
🤖 I have created a release *beep* *boop*
---


##
[2.171.0](v2.170.0...v2.171.0)
(2025-04-14)


### Features

* add sign in with solana (EIP-4361) support
([#1918](#1918))
([d121546](d121546))
* allow invalid config directories
([#1969](#1969))
([6b842f6](6b842f6))
* allow limiting lifespan of low-aal sessions
([#1942](#1942))
([d7a9ca6](d7a9ca6))
* Block specific outgoing mail servers
([#1971](#1971))
([091aef9](091aef9))
* refactor hooks out of api package
([#1976](#1976))
([c5904c0](c5904c0))
* separate web3 rate limits from other `/token?grant_type=...`
([#1985](#1985))
([8b23382](8b23382))


### Bug Fixes

* explicit permisions on actions
([#1978](#1978))
([06e9ead](06e9ead))
* propagate error when when confirming phone
([#1939](#1939))
([e882b42](e882b42))
* redirects must not be to ip addresses
([#1984](#1984))
([347e23a](347e23a))
* sanitize redirect URL (remove fragment, query) before pattern matching
([#1974](#1974))
([ccf20d7](ccf20d7))

---
This PR was generated with [Release
Please](https://github.com/googleapis/release-please). See
[documentation](https://github.com/googleapis/release-please#release-please).

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
fadymak pushed a commit that referenced this pull request Sep 30, 2025
…1985)

Sign in with Web3 can be very prone to abuse. This is because all it
takes for the `/token?grant_type=web3` endpoint to be abused is the
generation of signed messages by a private key.

For this reason a new rate limit config is provided
`GOTRUE_RATE_LIMIT_WEB3` which limits the number of such calls per IP
address.

To achieve this, the rate limit enforcement on the `/token` API is moved
inside in the `Token` handler. This provides a future basis for
separating out the rate limiters for Sign in with Password and ID token,
as well as rate limiters for PKCE.
fadymak pushed a commit that referenced this pull request Sep 30, 2025
🤖 I have created a release *beep* *boop*
---


##
[2.171.0](v2.170.0...v2.171.0)
(2025-04-14)


### Features

* add sign in with solana (EIP-4361) support
([#1918](#1918))
([d121546](d121546))
* allow invalid config directories
([#1969](#1969))
([6b842f6](6b842f6))
* allow limiting lifespan of low-aal sessions
([#1942](#1942))
([d7a9ca6](d7a9ca6))
* Block specific outgoing mail servers
([#1971](#1971))
([091aef9](091aef9))
* refactor hooks out of api package
([#1976](#1976))
([c5904c0](c5904c0))
* separate web3 rate limits from other `/token?grant_type=...`
([#1985](#1985))
([8b23382](8b23382))


### Bug Fixes

* explicit permisions on actions
([#1978](#1978))
([06e9ead](06e9ead))
* propagate error when when confirming phone
([#1939](#1939))
([e882b42](e882b42))
* redirects must not be to ip addresses
([#1984](#1984))
([347e23a](347e23a))
* sanitize redirect URL (remove fragment, query) before pattern matching
([#1974](#1974))
([ccf20d7](ccf20d7))

---
This PR was generated with [Release
Please](https://github.com/googleapis/release-please). See
[documentation](https://github.com/googleapis/release-please#release-please).

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants