security: rate-limit route handlers that perform authorization#23
Merged
davidcrowe merged 1 commit intomainfrom Apr 14, 2026
Merged
security: rate-limit route handlers that perform authorization#23davidcrowe merged 1 commit intomainfrom
davidcrowe merged 1 commit intomainfrom
Conversation
Closes two CodeQL js/missing-rate-limiting alerts: #51 apps/gateway-server/src/app.ts — /protected pipeline had no pre-auth rate limiter. Added a generic IP-keyed limiter in front of identifiabl so an attacker cannot flood the endpoint with invalid JWTs and exhaust the RSA verify path. The per-identity limiter (limitabl) still runs behind it for the real per-user cap. #47 packages/proxyabl/src/tool-gateway.ts — the proxy catch-all route performed verifyBearer without any rate limiter middleware. Applied the existing `toolLimiter` (already defined in the same file for other routes).
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Closes two CodeQL
js/missing-rate-limitingalerts.Findings addressed
#51 —
apps/gateway-server/src/app.ts:169(regression from PR #21)The
/protectedpipeline runsidentifiabl → limitabl → transformabl. The per-identity limiter (limitabl) can't rate-limit invalid JWT attempts — it needsreq.user.subto derive its key, and unauth requests fall back to IP which partitions poorly. An attacker can flood the endpoint with garbage JWTs and exhaust the RSA verify path before limitabl sees them.Fix: added a generic IP-keyed
rateLimitin front ofidentifiabl. Ceiling islimit * 10— well above normal traffic; the real per-user cap is stilllimitabldownstream. Same pattern the/toolspipeline in this file already uses (toolsRateLimiter).#47 —
packages/proxyabl/src/tool-gateway.ts:1237(pre-existing)The proxy catch-all route did
verifyBearerwith no rate limiter. Applied the existingtoolLimiterthat's already defined in the same file for other routes.Test plan
npm run build— cleannpx vitest run— 159/159Notes
apps/gateway-serveris not published, and theproxyablchange is a drop-in middleware composition with no API surface change.>=8.0.0, <=8.0.4. Not addressed here; will auto-close on next scan or can be dismissed.