Skip to content

v0.23.0

Choose a tag to compare

@github-actions github-actions released this 11 Jun 16:22
07c2eb5

Added

  • Per-audience rate limits at POST /oauth/token — new
    rate_limits.api_token_per_audience_per_ip config (Hash of
    audience => max requests per IP per 15 minutes, default {}). Lets hosts
    tighten the cap for higher-risk audiences (e.g. a public mobile app) while
    internal/partner audiences keep the global api_token_per_ip ceiling. A
    request must pass both its audience cap and the global cap. Implemented as
    an explicit before_action counter rather than the Rails rate_limit
    DSL: the DSL counts every request reaching the action, and a by: block
    returning nil does not exempt a request — it collapses into a shared
    bucket keyed without the discriminator, so one audience's rule would
    throttle every other audience's traffic. Only requests that actually
    target a configured audience increment that audience's per-IP counter.
    Exceeding the cap renders the standard rate_limit_exceeded JSON error
    with Retry-After.

Fixed

  • SOCIAL_AUTH_FAILED is now emitted on the API (mobile) callback path
    too.
    Since 0.16.0 the event fired only from the web callback
    (Web::Auth::Callback::ProvidersController); on
    POST /api/oauth/callback/:provider an infrastructure-level provider
    failure (StandardId::OAuthError from the provider call) fell through to
    the standard handle_oauth_error JSON response without emitting, so host
    apps observing provider outages via the event were blind on the API flow
    (and had to monkey-patch get_user_info_from_provider to compensate).
    The rescue is scoped to the provider call: OAuthError subclasses raised
    later in the flow (SocialLinkError, InvalidRequestError, ...) are
    policy/client errors and still do not emit. The JSON error response is
    unchanged.