[management] report pat id for tokens used more than 120 times per minute

[pascal-fischer]

Describe your changes

Issue ticket number and link

Stack

Checklist

• Is it a bug fix
• Is a typo/documentation fix
• Is a feature enhancement
• It is a refactor
• Created tests that fail without the change (if possible)

By submitting this pull request, you confirm that you have read and agree to the terms of the Contributor License Agreement.

Documentation

Select exactly one:

• I added/updated documentation for this change
• Documentation is not needed for this change (explain why)

Docs PR URL (required if "docs added" is checked)

Paste the PR link from https://github.com/netbirdio/docs here:

https://github.com/netbirdio/docs/pull/__

Summary by CodeRabbit

• Bug Fixes

  • Adjusted Personal Access Token usage recording to increment only after token details are validated, improving accuracy.
  • Added targeted debug logging for tokens exhibiting very high activity.

• Refactor

  • Reworked token usage tracking flow to report usage by token identifier and streamline reporting.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Walkthrough

PAT usage increment moved from before the rate-limiter check to after retrieving PAT info, switching the increment key from the raw token to the PAT ID. reportUsageBuckets now iterates token IDs and logs a debug/high-usage message when a token's count exceeds 60.

Changes

Cohort / File(s)	Summary
PAT middleware and tracker management/server/http/middleware/auth_middleware.go, management/server/http/middleware/pat_usage_tracker.go	Move PAT usage increment to after successful GetPATInfo and use pat.ID instead of raw token; update snapshot iteration to for id, count := range snapshot and add debug log when count > 60; retain existing rate-limiting, expiration, and error flows.

Sequence Diagram(s)

(omitted)

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

• Check that moving IncrementUsage after GetPATInfo preserves intended behavior for invalid/expired tokens and rate-limiting paths.
• Verify pat.ID is always available and correctly used when incrementing usage and in logs.
• Confirm the new debug log threshold (count > 60) matches monitoring expectations.

Possibly related PRs

• [management] record pat usage metrics #4888 — Related changes that introduced PATUsageTracker and early IncrementUsage; this PR adjusts timing and identifier used for increments.
• [management] add pat rate limiting #4741 — Overlapping modifications to PAT authentication middleware and usage tracking logic.

Suggested reviewers

• bcmmbaga
• crn4

Poem

🐰 I hopped through tokens, soft and spry,
Moved the counts where IDs apply.
When one grows noisy, over sixty high,
I nudge a log, then wink an eye. ✨

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The PR description is largely empty with placeholder template text and missing key sections like change description, issue reference, and explanation for why documentation is not needed.	Fill in the 'Describe your changes' section with implementation details, add the issue ticket number and link, and explain why documentation is not needed for this change.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly summarizes the main change: adding PAT ID reporting for tokens with high usage (>120 times/min).
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch feature/report-high-pat-id

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

management/server/http/middleware/pat_usage_tracker.go (1)

77-81: Consider log level and message clarity for high-usage alerts.

The changes correctly capture and log the PAT ID for high usage detection. However, consider these refinements:

1. Log level: Debug logs may not be visible in production. For operational alerts about potential abuse or rate-limiting concerns, consider using log.Infof or log.Warnf instead.

2. Log message wording: The message says "token %s" but logs the PAT ID, not the raw token value. Consider updating to: "High PAT usage detected: PAT ID %s used %d times in the last minute" for clarity.

3. Hardcoded threshold: The value 120 is hardcoded. Consider making this configurable via a constant or configuration parameter to allow different thresholds for different environments.

Apply this diff to improve log level and message clarity:

-			if count > 120 {
-				log.Debugf("High PAT usage detected: token %s used %d times in the last minute", id, count)
+			if count > 120 {
+				log.Warnf("High PAT usage detected: PAT ID %s used %d times in the last minute", id, count)
 			}

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 3f4f825 and 72fb097.

📒 Files selected for processing (2)

• management/server/http/middleware/auth_middleware.go (1 hunks)
• management/server/http/middleware/pat_usage_tracker.go (1 hunks)

🧰 Additional context used

🧬 Code graph analysis (1)

management/server/http/middleware/auth_middleware.go (1)

route/route.go (1)

• ID (48-48)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (26)

• GitHub Check: Management / Benchmark (API) (amd64, sqlite)
• GitHub Check: Management / Benchmark (amd64, postgres)
• GitHub Check: Management / Benchmark (amd64, sqlite)
• GitHub Check: Management / Integration (amd64, postgres)
• GitHub Check: Management / Benchmark (API) (amd64, postgres)
• GitHub Check: Management / Unit (amd64, mysql)
• GitHub Check: Management / Unit (amd64, sqlite)
• GitHub Check: Management / Unit (amd64, postgres)
• GitHub Check: Signal / Unit (386)
• GitHub Check: Relay / Unit (386)
• GitHub Check: Relay / Unit (amd64, -race)
• GitHub Check: Client (Docker) / Unit
• GitHub Check: Client / Unit (386)
• GitHub Check: Client / Unit (amd64)
• GitHub Check: Client / Unit
• GitHub Check: Client / Unit
• GitHub Check: release_ui_darwin
• GitHub Check: release_ui
• GitHub Check: release
• GitHub Check: Linux
• GitHub Check: Client / Unit
• GitHub Check: JS / Lint
• GitHub Check: Darwin
• GitHub Check: Windows
• GitHub Check: iOS / Build
• GitHub Check: Android / Build

🔇 Additional comments (1)

management/server/http/middleware/auth_middleware.go (1)

185-188: Confirm that expired PAT tracking is intentional for abuse detection monitoring.

The code tracks all PAT access attempts, including expired ones (lines 186-188), which appears intentional for detecting abuse patterns. This is separate from MarkPATUsed (line 194), which is only called for valid, non-expired tokens. No other usage tracking calls exist in the codebase, so the implementation is consistent.

If the intent is to track all access attempts for monitoring, the current placement is correct. If you want to track only valid PAT usage, move the IncrementUsage block after the expiration check (line 192).

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 72fb097 and b6c2b39.

📒 Files selected for processing (1)

• management/server/http/middleware/pat_usage_tracker.go (1 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (27)

• GitHub Check: Management / Unit (amd64, postgres)
• GitHub Check: Management / Integration (amd64, postgres)
• GitHub Check: Management / Unit (amd64, mysql)
• GitHub Check: Management / Benchmark (API) (amd64, sqlite)
• GitHub Check: Management / Benchmark (amd64, sqlite)
• GitHub Check: Management / Benchmark (API) (amd64, postgres)
• GitHub Check: Management / Unit (amd64, sqlite)
• GitHub Check: Management / Benchmark (amd64, postgres)
• GitHub Check: Signal / Unit (amd64)
• GitHub Check: Signal / Unit (386)
• GitHub Check: Relay / Unit (amd64, -race)
• GitHub Check: Client / Unit (386)
• GitHub Check: Relay / Unit (386)
• GitHub Check: Client (Docker) / Unit
• GitHub Check: Client / Unit (amd64)
• GitHub Check: iOS / Build
• GitHub Check: Android / Build
• GitHub Check: release_ui_darwin
• GitHub Check: release
• GitHub Check: release_ui
• GitHub Check: Windows
• GitHub Check: Darwin
• GitHub Check: Linux
• GitHub Check: Client / Unit
• GitHub Check: Client / Unit
• GitHub Check: JS / Lint
• GitHub Check: Client / Unit

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Align high‑usage threshold and log wording with PR intent

Two points here:

1. Threshold mismatch with PR title/intent
   The PR title mentions “tokens used more than 120 times per minute”, but the code logs high usage at count > 60. That’s a behavioral mismatch and could lead to unexpected alert volume or missed true “>120/min” cases. Consider updating and centralizing the threshold, e.g.:

-   if count > 60 {
-       log.Debugf("High PAT usage detected: token %s used %d times in the last minute", id, count)
+   const highPATUsageThresholdPerMinute = 120
+   if count > highPATUsageThresholdPerMinute {
+       log.Debugf("High PAT usage detected: PAT ID %s used %d times in the last minute", id, count)
    }

If “more than 120” should be interpreted as >= 120 or > 120, please adjust the comparison accordingly.

2. Log message clarity
   The variable is now a PAT ID, but the message still says “token %s”. Renaming it to “PAT ID %s” (or similar) will avoid confusion when reading logs and makes it clear we’re not logging the raw secret.

Committable suggestion skipped: line range outside the PR's diff.