Skip to content

🐛 fix(rate-limit): block credential rotation#216

Draft
gaborbernat wants to merge 1 commit into
tox-dev:mainfrom
gaborbernat:fix/rate-limit-credential-rotation
Draft

🐛 fix(rate-limit): block credential rotation#216
gaborbernat wants to merge 1 commit into
tox-dev:mainfrom
gaborbernat:fix/rate-limit-credential-rotation

Conversation

@gaborbernat

@gaborbernat gaborbernat commented Jul 12, 2026

Copy link
Copy Markdown
Member

Before credential validation, peryx selected local rate-limit buckets from raw Authorization values, so a client could rotate invalid credentials to bypass configured limits and evict other entries from the bounded cache. This closes #193.

Drivers authenticate credentials before bucket selection. peryx hashes named principals with process-random state and groups invalid credentials or anonymous clients by IP. Each authorized request uses one route resolution for classification and authentication; requests without Authorization keep the existing fast path.

Operators use the four Diátaxis pages to configure and diagnose rate limits. Contributors use the architecture guide to preserve the driver authentication boundary.

@gaborbernat gaborbernat added the bug Something isn't working label Jul 12, 2026
@read-the-docs-community

read-the-docs-community Bot commented Jul 12, 2026

Copy link
Copy Markdown

@codspeed-hq

codspeed-hq Bot commented Jul 12, 2026

Copy link
Copy Markdown

Merging this PR will not alter performance

✅ 29 untouched benchmarks
🆕 1 new benchmark
⏩ 62 skipped benchmarks1

Performance Changes

Mode Benchmark BASE HEAD Efficiency
🆕 WallTime simple_json[enabled_authenticated] N/A 26.3 µs N/A

Comparing gaborbernat:fix/rate-limit-credential-rotation (7689f03) with main (38729f8)

Open in CodSpeed

Footnotes

  1. 62 benchmarks were skipped, so the baseline results were used instead. If they were deleted from the codebase, click here and archive them to remove them from the performance reports.

@gaborbernat gaborbernat force-pushed the fix/rate-limit-credential-rotation branch 3 times, most recently from 6ae6863 to 47936a8 Compare July 13, 2026 04:26
Middleware keyed buckets on raw Authorization before driver validation. Clients
could bypass limits and grow the cache by rotating invalid credentials.

Resolve credentials through the owning driver and hash named principals with a
per-process seed. Use the client IP for invalid or anonymous credentials while
retaining the fast path when Authorization is absent.

Fixes tox-dev#193
@gaborbernat gaborbernat force-pushed the fix/rate-limit-credential-rotation branch from 47936a8 to 7689f03 Compare July 13, 2026 06:00
@gaborbernat gaborbernat added priority:P0 Correctness, security, or client-visible failure type:bug Incorrect behavior or missing validation area:security Path, URL, integrity, or access safety area:performance Cache, HTTP, memory, and benchmark work labels Jul 13, 2026
@gaborbernat gaborbernat self-assigned this Jul 13, 2026
@gaborbernat gaborbernat marked this pull request as draft July 13, 2026 06:28
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

area:performance Cache, HTTP, memory, and benchmark work area:security Path, URL, integrity, or access safety bug Something isn't working priority:P0 Correctness, security, or client-visible failure type:bug Incorrect behavior or missing validation

Projects

None yet

Development

Successfully merging this pull request may close these issues.

fix(rate-limit): reject credential rotation bypass

1 participant