🐛 fix(rate-limit): block credential rotation#216
Draft
gaborbernat wants to merge 1 commit into
Draft
Conversation
Merging this PR will not alter performance
Performance Changes
Comparing Footnotes
|
This was referenced Jul 12, 2026
6ae6863 to
47936a8
Compare
Middleware keyed buckets on raw Authorization before driver validation. Clients could bypass limits and grow the cache by rotating invalid credentials. Resolve credentials through the owning driver and hash named principals with a per-process seed. Use the client IP for invalid or anonymous credentials while retaining the fast path when Authorization is absent. Fixes tox-dev#193
47936a8 to
7689f03
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Before credential validation, peryx selected local rate-limit buckets from raw
Authorizationvalues, so a client could rotate invalid credentials to bypass configured limits and evict other entries from the bounded cache. This closes #193.Drivers authenticate credentials before bucket selection. peryx hashes named principals with process-random state and groups invalid credentials or anonymous clients by IP. Each authorized request uses one route resolution for classification and authentication; requests without
Authorizationkeep the existing fast path.Operators use the four Diátaxis pages to configure and diagnose rate limits. Contributors use the architecture guide to preserve the driver authentication boundary.