Skip to content

fix: enforce rate limit for sign-ups and sign-ins (fixes #2333)#2421

Open
nancysangani wants to merge 1 commit intosupabase:masterfrom
nancysangani:fix/rate-limit-sign-in-sign-ups
Open

fix: enforce rate limit for sign-ups and sign-ins (fixes #2333)#2421
nancysangani wants to merge 1 commit intosupabase:masterfrom
nancysangani:fix/rate-limit-sign-in-sign-ups

Conversation

@nancysangani
Copy link

@nancysangani nancysangani commented Mar 12, 2026

What kind of change does this PR introduce?

Bug fix

What is the current behavior?

The rate limit for sign-ups and sign-ins configured via the dashboard or
config.toml (sign_in_sign_ups) is never enforced. Requests only get blocked
after ~30-50 attempts due to a different unrelated limit firing instead.

Fixes #2333

What is the new behavior?

Sign-up and sign-in requests are correctly blocked once the configured
limit is reached. The /token password grant (sign-in) is also now covered
by this limit, which it previously wasn't at all.

Additional context

Three issues were found:

  1. RateLimitSignInSignUps field was missing from GlobalConfiguration so
    the configured value was always silently ignored.
  2. The Signups limiter was incorrectly wired to RateLimitOtp instead of
    the sign-in/sign-up limit.
  3. Sign-ins (/token?grant_type=password) were using the token refresh
    limiter (default 150/5min) instead of the sign-in limit.

@nancysangani nancysangani requested a review from a team as a code owner March 12, 2026 13:30
Copilot AI review requested due to automatic review settings March 12, 2026 13:30
@nancysangani
Copy link
Author

nancysangani commented Mar 12, 2026

/cc @staaldraad
/cc @fadymak

Copilot AI reviewed Mar 12, 2026
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR fixes issue #2333 where the configured rate limit for sign-ups and sign-ins was never enforced. Three bugs are addressed: a missing config field, incorrect limiter wiring for signups, and sign-ins using the wrong limiter.

Changes:

  • Add missing RateLimitSignInSignUps field to GlobalConfiguration so the env/config value is actually read.
  • Wire Signups and new SignIns limiters to RateLimitSignInSignUps instead of RateLimitOtp.
  • Use the SignIns limiter for password grant in the /token endpoint, keeping the token refresh limiter for other grant types.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.

File Description
internal/conf/configuration.go Add RateLimitSignInSignUps field to config struct
internal/api/options.go Add SignIns limiter and wire both Signups/SignIns to the correct rate limit
internal/api/token.go Default /token to SignIns limiter; keep Token limiter for non-password grants

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

You can also share your feedback on Copilot code review. Take the survey.

internal/api/options.go
Comment on lines +111 to +112
o.SignIns = newLimiterPer5mOver1h(gc.RateLimitSignInSignUps)
o.OAuthClientRegister = newLimiterPer5mOver1h(gc.RateLimitOAuthDynamicClientRegister)
Copy link

Copilot AI Mar 12, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Lines 111 and 112 use spaces for indentation instead of tabs, which is inconsistent with the rest of the file. Please use tabs to match the surrounding code.

Suggested change
o.SignIns = newLimiterPer5mOver1h(gc.RateLimitSignInSignUps)
o.OAuthClientRegister = newLimiterPer5mOver1h(gc.RateLimitOAuthDynamicClientRegister)
o.SignIns = newLimiterPer5mOver1h(gc.RateLimitSignInSignUps)
o.OAuthClientRegister = newLimiterPer5mOver1h(gc.RateLimitOAuthDynamicClientRegister)

Copilot uses AI. Check for mistakes.
@nancysangani
Copy link
Author

nancysangani commented Mar 18, 2026

/cc @cemalkilic
/cc @fadymak
/cc @staaldraad

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Auth rate limit for sign-ups and sign-ins is not enforced despite configuration

2 participants

@nancysangani