feat: separate web3 rate limits from other /token?grant_type=...
#1985
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
hf
force-pushed
the
hf/separate-web3-rate-limits-from-other-token
branch
from
05c2332 to
1e49b3d
Compare
Pull Request Test Coverage Report for Build 14383837120Details
💛 - Coveralls |
hf
force-pushed
the
hf/separate-web3-rate-limits-from-other-token
branch
from
1e49b3d to
df5cfa4
Compare
kangmingtay
approved these changes
Apr 10, 2025
hf
force-pushed
the
hf/separate-web3-rate-limits-from-other-token
branch
2 times, most recently
from
554ec11 to
89f82ee
Compare
hf
force-pushed
the
hf/separate-web3-rate-limits-from-other-token
branch
from
89f82ee to
1c9b08a
Compare
|
rerun dogfooding ci |
kangmingtay
approved these changes
Apr 10, 2025
hf
pushed a commit
that referenced
this pull request
Apr 15, 2025
🤖 I have created a release *beep* *boop* --- ## [2.171.0](v2.170.0...v2.171.0) (2025-04-14) ### Features * add sign in with solana (EIP-4361) support ([#1918](#1918)) ([d121546](d121546)) * allow invalid config directories ([#1969](#1969)) ([6b842f6](6b842f6)) * allow limiting lifespan of low-aal sessions ([#1942](#1942)) ([d7a9ca6](d7a9ca6)) * Block specific outgoing mail servers ([#1971](#1971)) ([091aef9](091aef9)) * refactor hooks out of api package ([#1976](#1976)) ([c5904c0](c5904c0)) * separate web3 rate limits from other `/token?grant_type=...` ([#1985](#1985)) ([8b23382](8b23382)) ### Bug Fixes * explicit permisions on actions ([#1978](#1978)) ([06e9ead](06e9ead)) * propagate error when when confirming phone ([#1939](#1939)) ([e882b42](e882b42)) * redirects must not be to ip addresses ([#1984](#1984)) ([347e23a](347e23a)) * sanitize redirect URL (remove fragment, query) before pattern matching ([#1974](#1974)) ([ccf20d7](ccf20d7)) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please). Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
wdoppenberg
pushed a commit
to wdoppenberg/supabase-auth
that referenced
this pull request
Jun 5, 2025
…upabase#1985) Sign in with Web3 can be very prone to abuse. This is because all it takes for the `/token?grant_type=web3` endpoint to be abused is the generation of signed messages by a private key. For this reason a new rate limit config is provided `GOTRUE_RATE_LIMIT_WEB3` which limits the number of such calls per IP address. To achieve this, the rate limit enforcement on the `/token` API is moved inside in the `Token` handler. This provides a future basis for separating out the rate limiters for Sign in with Password and ID token, as well as rate limiters for PKCE.
wdoppenberg
pushed a commit
to wdoppenberg/supabase-auth
that referenced
this pull request
Jun 5, 2025
🤖 I have created a release *beep* *boop* --- ## [2.171.0](supabase/auth@v2.170.0...v2.171.0) (2025-04-14) ### Features * add sign in with solana (EIP-4361) support ([supabase#1918](supabase#1918)) ([d121546](supabase@d121546)) * allow invalid config directories ([supabase#1969](supabase#1969)) ([6b842f6](supabase@6b842f6)) * allow limiting lifespan of low-aal sessions ([supabase#1942](supabase#1942)) ([d7a9ca6](supabase@d7a9ca6)) * Block specific outgoing mail servers ([supabase#1971](supabase#1971)) ([091aef9](supabase@091aef9)) * refactor hooks out of api package ([supabase#1976](supabase#1976)) ([c5904c0](supabase@c5904c0)) * separate web3 rate limits from other `/token?grant_type=...` ([supabase#1985](supabase#1985)) ([8b23382](supabase@8b23382)) ### Bug Fixes * explicit permisions on actions ([supabase#1978](supabase#1978)) ([06e9ead](supabase@06e9ead)) * propagate error when when confirming phone ([supabase#1939](supabase#1939)) ([e882b42](supabase@e882b42)) * redirects must not be to ip addresses ([supabase#1984](supabase#1984)) ([347e23a](supabase@347e23a)) * sanitize redirect URL (remove fragment, query) before pattern matching ([supabase#1974](supabase#1974)) ([ccf20d7](supabase@ccf20d7)) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please). Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
cemalkilic
pushed a commit
that referenced
this pull request
Aug 7, 2025
…1985) Sign in with Web3 can be very prone to abuse. This is because all it takes for the `/token?grant_type=web3` endpoint to be abused is the generation of signed messages by a private key. For this reason a new rate limit config is provided `GOTRUE_RATE_LIMIT_WEB3` which limits the number of such calls per IP address. To achieve this, the rate limit enforcement on the `/token` API is moved inside in the `Token` handler. This provides a future basis for separating out the rate limiters for Sign in with Password and ID token, as well as rate limiters for PKCE.
cemalkilic
pushed a commit
that referenced
this pull request
Aug 7, 2025
🤖 I have created a release *beep* *boop* --- ## [2.171.0](v2.170.0...v2.171.0) (2025-04-14) ### Features * add sign in with solana (EIP-4361) support ([#1918](#1918)) ([d121546](d121546)) * allow invalid config directories ([#1969](#1969)) ([6b842f6](6b842f6)) * allow limiting lifespan of low-aal sessions ([#1942](#1942)) ([d7a9ca6](d7a9ca6)) * Block specific outgoing mail servers ([#1971](#1971)) ([091aef9](091aef9)) * refactor hooks out of api package ([#1976](#1976)) ([c5904c0](c5904c0)) * separate web3 rate limits from other `/token?grant_type=...` ([#1985](#1985)) ([8b23382](8b23382)) ### Bug Fixes * explicit permisions on actions ([#1978](#1978)) ([06e9ead](06e9ead)) * propagate error when when confirming phone ([#1939](#1939)) ([e882b42](e882b42)) * redirects must not be to ip addresses ([#1984](#1984)) ([347e23a](347e23a)) * sanitize redirect URL (remove fragment, query) before pattern matching ([#1974](#1974)) ([ccf20d7](ccf20d7)) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please). Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Sign in with Web3 can be very prone to abuse. This is because all it takes for the
/token?grant_type=web3endpoint to be abused is the generation of signed messages by a private key.For this reason a new rate limit config is provided
GOTRUE_RATE_LIMIT_WEB3which limits the number of such calls per IP address.To achieve this, the rate limit enforcement on the
/tokenAPI is moved inside in theTokenhandler. This provides a future basis for separating out the rate limiters for Sign in with Password and ID token, as well as rate limiters for PKCE.