Skip to content

CBST2-06: Implement rate limiting for JWT auth failures #310

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 45 commits into
base: main
Choose a base branch
from
Open

CBST2-06: Implement rate limiting for JWT auth failures #310

wants to merge 45 commits into from

Conversation

jclapis
Copy link
Collaborator

@jclapis jclapis commented May 28, 2025
edited
Loading

This adds a customizable setup to the signer module for rate limiting requests after repeated JWT authorization failures from a client. The implementation is simple: if a client fails JWT authorization X times, they are added to a cooldown and any subsequent requests will be denied until the cooldown completes.

The failure limit is controlled in the [signer] config with jwt_auth_fail_limit, or with the SIGNER_JWT_AUTH_FAIL_LIMIT_ENV environment variable.

The cooldown timeout (in seconds) is controlled in the [signer] config with jwt_auth_fail_timeout_seconds, or with the SIGNER_JWT_AUTH_FAIL_TIMEOUT_SECONDS_ENV environment variable.

As a side-effect, this also adds a unit testing setup for the Signer module since one wasn't in place yet. A test for this rate limiting behavior is included.

ltitanb and others added 28 commits May 13, 2025 17:17
@ltitanb @jclapis
bump version
c68125d
@jclapis
Successful cross-compilation, but runtime has memory allocation issues
d9979a2
@jclapis
Working with OpenSSL static-linked
97ef653
@jclapis
Got dynamic linking working, added a feature flag to toggle dynamic v…
91eefe2 
…s. static
@jclapis
Fixed the vendored build arg
de09415
@jclapis
Reintroduced the cargo chef setup
3aee63d
@jclapis
Ported the cross-compilation stuff into PBS
c07c717
@jclapis
Split the dockerfiles into separate builder / image definitions
699b7ec
@jclapis
Added a build guide
7165f12
@jclapis
Refactored the Github release action to use the Docker builder
9438dae
@jclapis
Fixed the Docker image binary filenames
12c020a
@jclapis
Cleaned up the Darwin artifact step
53cafc0
@jclapis
Made the CI workflow and justfile use the same toolchain as the source
58c6117
@jclapis
Revert "Made the CI workflow and justfile use the same toolchain as t…
45e581b 
…he source"

This reverts commit 58c6117.
@jclapis
Testing removal of OpenSSL vendored option
24a10c5
@jclapis
Updating just in the CI workflow
e36da54
@jclapis
Merge branch 'main' into cross-compile
843b110
@jclapis
Refactored the signer to support host and port config settings
e7c6d19
@jclapis
Updated docs
6117219
@jclapis
Fixing Clippy in CI workflow
c0f591d
@jclapis
Removed obviated CI setup
adbd34a
@jclapis
Minor dedup of RwLock guard acquisition
e3488b3
@jclapis
Added rate limiting for signer clients with repeated JWT auth failures
c3d7ec4
@jclapis
Added Signer config validation
9ddad64
@jclapis
Started unit test setup for the Signer
c62185e
@jclapis
Finished a basic signer module unit test
dc73c62
@jclapis
Added a JWT failure unit test
6c3d967
@jclapis
Added a rate limit test and cleaned up a bit
6464638
@jclapis jclapis self-assigned this May 28, 2025
@jclapis jclapis added the signer Signer module label May 28, 2025
@jclapis jclapis changed the title Implement rate limiting for JWT auth failures CBST2-06: Implement rate limiting for JWT auth failures Jun 3, 2025
@jclapis jclapis marked this pull request as ready for review June 9, 2025 21:15
@jclapis jclapis mentioned this pull request Jun 10, 2025
Draft
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@jclapis jclapis

Labels
signer Signer module
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@jclapis @ltitanb