Anonymous: Add configurable device limit #10
Conversation
* Anonymous: Add device limiter * break auth if limit reached * fix typo * refactored const to make it clearer with expiration * anon device limit for config --------- Co-authored-by: Eric Leijonmarck <[email protected]>
|
cursor review |
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Bug: Early Cache Entry Creates False Success
The local cache is set before the database operation completes. If CreateOrUpdateDevice fails (e.g., with ErrDeviceLimitReached), the cache entry remains set, causing subsequent requests for the same device within 29 minutes to incorrectly return success without attempting the database operation, creating inconsistent behavior based on cache state.
pkg/services/anonymous/anonimpl/impl.go#L86-L94
cursor-grafana/pkg/services/anonymous/anonimpl/impl.go
Lines 86 to 94 in 3647ba7
|
|
||
| if count >= s.deviceLimit { | ||
| return s.updateDevice(ctx, device) | ||
| } |
There was a problem hiding this comment.
Bug: Race Condition Bypasses Device Limit
Race condition in device limit enforcement: the check-then-act pattern between counting devices and inserting new ones allows multiple concurrent requests to bypass the limit. When the count is near the limit, concurrent requests can all pass the check and insert devices, exceeding the configured deviceLimit.
|
|
||
| args := []interface{}{device.ClientIP, device.UserAgent, device.UpdatedAt.UTC(), device.DeviceID, | ||
| device.UpdatedAt.UTC().Add(-anonymousDeviceExpiration), device.UpdatedAt.UTC().Add(time.Minute), | ||
| } |
There was a problem hiding this comment.
Bug: Old Devices Cannot Update Due to Limit
The updateDevice function's WHERE clause restricts updates to devices modified within the last 30 days. When the device limit is reached, existing devices older than 30 days cannot be updated and incorrectly return ErrDeviceLimitReached, even though they should be updatable since they already exist in the database.
Test 1
Replicated from ai-code-review-evaluation/grafana-cursor#1
Note
Adds a configurable anonymous device limit (auth.anonymous.device_limit), surfaces it to the frontend, and enforces it in the anonymous device store with a 30‑day window.
auth.anonymous.device_limitinsetting.go; includeAnonymousDeviceLimitin frontend settings DTOs and server response.ProvideAnonymousDeviceServicenow constructsAnonDBStorewithsqlStoreandcfg.AnonymousDeviceLimit; API uses a shared 30‑dayanonymousDeviceExpiration.Authenticatenow surfacesErrDeviceLimitReachedfrom device tagging; otherwise logs warning.deviceLimit,ErrDeviceLimitReached, and 30‑day expiration.CreateOrUpdateDevice(update-only when at limit) via newupdateDevicemethod.ProvideAnonDBStore(sqlStore, deviceLimit)signature; minor query/CRUD adjustments.anonymousDeviceLimittoGrafanaConfigand default in runtime config.TestIntegrationBeyondDeviceLimit).Written by Cursor Bugbot for commit 3647ba7. Configure here.