You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This commit was created on GitHub.com and signed with GitHub’s verified signature.
Added
Per-audience rate limits at POST /oauth/token — new rate_limits.api_token_per_audience_per_ip config (Hash of
audience => max requests per IP per 15 minutes, default {}). Lets hosts
tighten the cap for higher-risk audiences (e.g. a public mobile app) while
internal/partner audiences keep the global api_token_per_ip ceiling. A
request must pass both its audience cap and the global cap. Implemented as
an explicit before_action counter rather than the Rails rate_limit
DSL: the DSL counts every request reaching the action, and a by: block
returning nil does not exempt a request — it collapses into a shared
bucket keyed without the discriminator, so one audience's rule would
throttle every other audience's traffic. Only requests that actually
target a configured audience increment that audience's per-IP counter.
Exceeding the cap renders the standard rate_limit_exceeded JSON error
with Retry-After.
Fixed
SOCIAL_AUTH_FAILED is now emitted on the API (mobile) callback path
too. Since 0.16.0 the event fired only from the web callback
(Web::Auth::Callback::ProvidersController); on POST /api/oauth/callback/:provider an infrastructure-level provider
failure (StandardId::OAuthError from the provider call) fell through to
the standard handle_oauth_error JSON response without emitting, so host
apps observing provider outages via the event were blind on the API flow
(and had to monkey-patch get_user_info_from_provider to compensate).
The rescue is scoped to the provider call: OAuthError subclasses raised
later in the flow (SocialLinkError, InvalidRequestError, ...) are
policy/client errors and still do not emit. The JSON error response is
unchanged.