Fix dynamic rate limiting for customers in state evaluation (eclipse#1623)

netomi · web-flow · commit 8addd635e687 · 2026-02-18T10:18:38.000+01:00
* fix access control expose headers for dev setup

* use UserService to ensure only valid tokens are taken into account

* only apply free tier limit if we did not identify a customer
diff --git a/server/src/dev/resources/application.yml b/server/src/dev/resources/application.yml
@@ -177,7 +177,7 @@ ovsx:
       - url: '/(api|vscode)/.*'
         http-response-headers:
           Access-Control-Allow-Origin: '*'
-          Access-Control-Expose-Headers: X-Rate-Limit-Retry-After-Seconds, X-Rate-Limit-Remaining
+          Access-Control-Expose-Headers: X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Reset, Retry-After
     default-http-content-type: application/json
     default-http-response-body: >
       {
diff --git a/server/src/main/java/org/eclipse/openvsx/ratelimit/IdentityService.java b/server/src/main/java/org/eclipse/openvsx/ratelimit/IdentityService.java
@@ -14,6 +14,7 @@
 
 import com.giffing.bucket4j.spring.boot.starter.context.ExpressionParams;
 import jakarta.servlet.http.HttpServletRequest;
+import org.eclipse.openvsx.UserService;
 import org.eclipse.openvsx.ratelimit.config.RateLimitConfig;
 import org.eclipse.openvsx.ratelimit.config.RateLimitProperties;
 import org.slf4j.Logger;
@@ -38,19 +39,22 @@ public class IdentityService {
 
     private final TierService tierService;
     private final CustomerService customerService;
+    private final UserService userService;
     private final RateLimitProperties rateLimitProperties;
 
     public IdentityService(
             ExpressionParser expressionParser,
             ConfigurableBeanFactory beanFactory,
             TierService tierService,
             CustomerService customerService,
+            UserService userService,
             RateLimitProperties rateLimitProperties
     ) {
         this.expressionParser = expressionParser;
         this.beanFactory = beanFactory;
         this.tierService = tierService;
         this.customerService = customerService;
+        this.userService = userService;
         this.rateLimitProperties = rateLimitProperties;
     }
 
@@ -60,9 +64,14 @@ public ResolvedIdentity resolveIdentity(HttpServletRequest request) {
 
         var token = request.getParameter("token");
         if (token != null) {
-            // we use the token as a cache key
-            // if the token is invalid, request will fail anyway
-            cacheKey = "token_" + token.hashCode();
+            // This will update the database with the time the token is last accessed,
+            // but we need to ensure that we only take valid tokens into account for rate limiting.
+            // If this turns out to be a bottleneck, we need to cache the token hashcode.
+            var tokenEntity = userService.useAccessToken(token);
+            if (tokenEntity != null) {
+                // if a valid token is present we use it as a cache key
+                cacheKey = "token_" + token.hashCode();
+            }
         }
 
         var customer = customerService.getCustomerByIpAddress(ipAddress);
@@ -75,7 +84,6 @@ public ResolvedIdentity resolveIdentity(HttpServletRequest request) {
             var sessionId = session != null ? session.getId() : null;
             if (sessionId != null) {
                 // we use the session id as a cache key
-                // if the session is invalid, request will fail anyway
                 cacheKey = "session_" + sessionId.hashCode();
             }
         }
diff --git a/server/src/main/java/org/eclipse/openvsx/ratelimit/RateLimitService.java b/server/src/main/java/org/eclipse/openvsx/ratelimit/RateLimitService.java
@@ -108,17 +108,19 @@ public BucketPair getBucket(ResolvedIdentity identity) {
         var builder = BucketConfiguration.builder();
 
         var hasLimits = false;
+        var useCustomerBandwidth = identity.cacheKey().startsWith("customer_");
 
-        if (identity.customer() != null && identity.cacheKey().startsWith("customer_")) {
+        // if this request is coming from an identified customer
+        if (identity.customer() != null && useCustomerBandwidth) {
             var customer = identity.customer();
             if (customer.getState() == EnforcementState.ENFORCEMENT) {
                 builder.addLimit(getBandWidth(customer.getTier()));
                 hasLimits = true;
             }
         }
 
-        // add the free tier bandwidth if no limits have been set so far
-        if (!hasLimits && identity.freeTier() != null) {
+        // add the free tier bandwidth for any other requests if available
+        if (!useCustomerBandwidth && identity.freeTier() != null) {
             builder.addLimit(getBandWidth(identity.freeTier()));
             hasLimits = true;
         }

Original file line number	Diff line number	Diff line change
`@@ -177,7 +177,7 @@ ovsx:`
`177`	`177`	`- url: '/(api\|vscode)/.*'`
`178`	`178`	`http-response-headers:`
`179`	`179`	`Access-Control-Allow-Origin: '*'`
`180`		`- Access-Control-Expose-Headers: X-Rate-Limit-Retry-After-Seconds, X-Rate-Limit-Remaining`
	`180`	`+ Access-Control-Expose-Headers: X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Reset, Retry-After`
`181`	`181`	`default-http-content-type: application/json`
`182`	`182`	`default-http-response-body: >`
`183`	`183`	`{`