fix(dashboard-api): prune magic-link rate limit buckets to prevent memory leak#1670
Conversation
|
Thanks for tightening the magic-link failure limiter; bounding that in-memory bucket map is the right direction for this auth surface. Advisory status: not ready yet Quickest path to merge:
What I checked:
Thanks again for pushing this auth hardening forward. |
|
I've added the requested regression tests in Let me know if there's anything else needed! |
|
Thanks for adding the magic-link limiter regressions after the first advisory pass. Advisory status: looks merge-ready What looks good:
What I checked:
Thanks again for tightening this auth surface. |
Description
Fixes a memory leak in the magic link rate limiter.
The
_RATE_LIMIT_BUCKETSdictionary was accumulating IP addresses indefinitely because expired buckets were just having their count set to 0 instead of being popped. If a bot or scanner hits this endpoint from many unique IPs over time, this dictionary would grow indefinitely.This PR does two things:
pop()instead of setting the count to 0 when an IP's window expires.