Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Rate limiting should result in consistent return types and be appropriately documented #1121

Closed
1 task done
jwoytek opened this issue Aug 22, 2023 · 4 comments
Closed
1 task done

Rate limiting should result in consistent return types and be appropriately documented #1121

jwoytek opened this issue Aug 22, 2023 · 4 comments
Labels
code quality documentation

Comments

@jwoytek
Copy link

jwoytek commented Aug 22, 2023

Prerequisites

  • Put an X between the brackets on this line if you have done all of the following:
    • Checked the FAQs on the message board for common solutions: (TBD)
    • Checked that your issue isn't already filed.

Description

Rate limiting incoming requests is supported and currently appears to be in place in production. At least one layer of rate limiting in production is returning 403 Forbidden, where 429 Too Many Requests might be more appropriate.

  • Document the rate limiting environment variables accepted by the code to configure request rate limiting.
  • Consider returning 429 Too Many Requests for all types of rate limiting to help users understand and deal with limits.

Steps to Reproduce

  1. Exceed the rate limit(s) with API requests.

Expected behavior:

Rate limit issues should return a 429 Too Many Requests, which clients can choose to retry after a timeout.

Actual behavior:

Some rate limits in production return a 403 Forbidden, which most clients will not attempt to retry unless configured explicitly to do so.

Reproduces how often:

Consistently.

Versions

Production through current.

Additional Information
@zmanion
Copy link

zmanion commented Aug 22, 2023

An additional request would be to document the rate limits, or if they change frequently, at least note that they exist. Somewhat documented here https://github.com/CVEProject/cve-services/blob/dev/.env.

@jdaigneau5 jdaigneau5 moved this to Needs Triage in Issue Triage Jul 2, 2024
@david-rocca david-rocca moved this to Todo in Sprint 45 Dec 18, 2024
@david-rocca
Copy link
Collaborator

I am currently working this ticket.

In CVE-Services, our middleware that triggers on a rate limiting event will always return a 429. It appears that one of the limiting levels that we have (outside of services itself) is throwing the 403. I will update the documentation for the ENV vars in the mean time, but I will get with a few members of the infrastructure team to see if we can track down that 403 being thrown.

Thanks.

@david-rocca david-rocca moved this from Todo to In Progress in Sprint 45 Dec 26, 2024
@david-rocca
Copy link
Collaborator

After some review, we have found the rogue 403. I have a request out to our cloud team to rectify that to become a 429. I am going to close this ticket after the merging in of the documentation of the ENV vars as this is no longer something that can be handled in services. Thanks for bringing this up!

@david-rocca david-rocca mentioned this issue Dec 30, 2024
Merged
@david-rocca david-rocca moved this from In Progress to In Review in Sprint 45 Dec 30, 2024
@jwoytek
Copy link
Author

jwoytek commented Jan 6, 2025

That's great @david-rocca ! Thank you!

@github-project-automation github-project-automation bot moved this from In Review to Done in Sprint 45 Jan 6, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
code quality documentation
Projects
Sprint 45
Status: Done
Milestone
No milestone
Development

No branches or pull requests
4 participants
@david-rocca @jwoytek @zmanion @jdaigneau5