Skip to content

Add a task to clean up expired JWT failure rate limits #380

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
jclapis merged 4 commits into from
Sep 30, 2025
Merged

Add a task to clean up expired JWT failure rate limits #380

jclapis merged 4 commits into from
Sep 30, 2025

Conversation

@jclapis
Copy link
Collaborator

@jclapis jclapis commented Sep 22, 2025

This adds a small task that runs in parallel with the Signer server and periodically cleans up the JWT auth failure map, removing any rate limiting entries that have expired. Previously the only way they got removed was if the timed out client tried to request again after the timeout period, so if lots of clients never re-requested then they'd just fill up the map for no reason.

Note that the attempt count isn't timed, so if a client fails 2/3 attempts, then waits 10 minutes, then fails a 3rd attempt, they'll trigger the lockout.

@jclapis jclapis requested a review from ltitanb September 22, 2025 12:47
@jclapis jclapis self-assigned this Sep 22, 2025
@jclapis jclapis added the signer Signer module label Sep 22, 2025
ManuelBilbao
ManuelBilbao reviewed Sep 22, 2025
View reviewed changes
crates/common/src/config/signer.rs
Comment on lines +91 to +92
/// limit has been reached. This also defines the interval at which failed
/// attempts are regularly checked and expired ones are cleaned up.
Copy link
Collaborator

@ManuelBilbao ManuelBilbao Sep 22, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we also add this note to config.example.toml?

Copy link
Collaborator Author

@jclapis jclapis Sep 22, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done in a39fb31.

crates/signer/src/service.rs Outdated
.route(STATUS_PATH, get(handle_status));

// Run the JWT cleaning task
//let state = state.clone();
Copy link
Collaborator

@ManuelBilbao ManuelBilbao Sep 22, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this is missed here

Copy link
Collaborator Author

@jclapis jclapis Sep 22, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed in a39fb31.

jclapis and others added 2 commits September 22, 2025 09:45
@jclapis jclapis merged commit 2a9bdf9 into misc-reaudit-fixes Sep 30, 2025
2 checks passed
@jclapis jclapis deleted the jwt-fail-pruning branch September 30, 2025 18:17
@jclapis jclapis mentioned this pull request Sep 30, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ManuelBilbao ManuelBilbao ManuelBilbao approved these changes

@ltitanb ltitanb ltitanb approved these changes

Assignees

@jclapis jclapis

Labels

signer Signer module

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@jclapis @ManuelBilbao @ltitanb