(tooling-trusted-releases) branch main updated: #535 - Add rate limiting on PAT and JWT endpoints

Fri, 23 Jan 2026 05:32:38 -0800 

This is an automated email from the ASF dual-hosted git repository.

arm pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tooling-trusted-releases.git


The following commit(s) were added to refs/heads/main by this push:
     new a48bedb  #535 - Add rate limiting on PAT and JWT endpoints
a48bedb is described below

commit a48bedbd6d5173e91f583cf2ec0b58c39adc8ff4
Author: Alastair McFarlane <[email protected]>
AuthorDate: Fri Jan 23 13:31:55 2026 +0000

    #535 - Add rate limiting on PAT and JWT endpoints
---
 atr/post/tokens.py    | 3 +++
 notes/api-security.md | 2 +-
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/atr/post/tokens.py b/atr/post/tokens.py
index ef5f755..6d55f4a 100644
--- a/atr/post/tokens.py
+++ b/atr/post/tokens.py
@@ -21,6 +21,7 @@ import secrets
 from typing import Final
 
 import quart
+import quart_rate_limiter as rate_limiter
 
 import atr.blueprints.post as post
 import atr.get as get
@@ -34,6 +35,7 @@ _EXPIRY_DAYS: Final[int] = 180
 
 
 @post.committer("/tokens/jwt")
+@rate_limiter.rate_limit(10, datetime.timedelta(hours=1))
 @post.empty()
 async def jwt_post(session: web.Committer) -> web.QuartResponse:
     jwt_token = jwtoken.issue(session.uid)
@@ -41,6 +43,7 @@ async def jwt_post(session: web.Committer) -> 
web.QuartResponse:
 
 
 @post.committer("/tokens")
+@rate_limiter.rate_limit(10, datetime.timedelta(hours=1))
 @post.form(shared.tokens.TokenForm)
 async def tokens(session: web.Committer, token_form: shared.tokens.TokenForm) 
-> web.WerkzeugResponse:
     match token_form:
diff --git a/notes/api-security.md b/notes/api-security.md
index f99c5f1..0051cc7 100644
--- a/notes/api-security.md
+++ b/notes/api-security.md
@@ -35,4 +35,4 @@ We do not presently have logging or auditing of the logging 
for the API. Once we
 
 We do not use all available JWT fields, such as `iss` (issuer).
 
-We do not rate limit PAT or JWT issuance.
+Security-related actions, such as PAT and JWT issuance, are rate limited to 10 
per hour per IP/ASF UID.


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to