Summary
The OAuth/SAML auth-flow rate limiter (multi-scope: session / IP / user) has no end-to-end integration coverage. TestAuthFlowRateLimiting_MultiScope exists but skips against the integration server, so only the unit tests in api/auth_flow_rate_limiter_test.go exercise the limiter. Add real integration coverage so the multi-scope 429 behavior is verified against a running server.
Follow-up to #477 (which isolated/containerized the integration harness and corrected the test's skip guard so it skips cleanly instead of failing).
Why it currently can't run
- The auth-flow limiter hard-codes a no-op in
build_mode=test (api/auth_flow_rate_limiter.go:74-78; TMI_BUILD_MODE is set from config by auth/service.go:109).
- The integration test server must run
build_mode=test for the built-in tmi OAuth provider that every other workflow test depends on.
- Therefore the limiter is disabled wherever the integration suite can authenticate, and the test skips (guarded by
framework.IsAuthFlowRateLimitingActive, which treats a present-but-zero X-RateLimit-Limit as "not enforcing").
What needs to happen
- Product affordance to enable the auth-flow limiter independently of
build_mode, so it can be exercised while the tmi provider is still available. Options to weigh:
- A dedicated toggle (e.g. an env/config flag) that forces the auth-flow limiter on regardless of build mode; or
- A dedicated non-test-mode server fixture for the rate-limit workflow tests.
- Refresh the stale test expectations:
TestAuthFlowRateLimiting_MultiScope asserts per-scope limits of 5 / 10 / 20, but the implementation now uses 100 across all scopes (api/auth_flow_rate_limiter.go checkRateLimitWithIPLimit). The test's multi-different-limits premise no longer reflects the code.
- Wire it into the harness:
scripts/run-integration-tests.py already supports TMI_TEST_ENABLE_RATE_LIMITING=true and a TMI_TEST_WORKFLOW_RUN filter; the new affordance should plug into that path so the test runs (and passes) when rate-limit coverage is requested, and continues to skip by default.
Acceptance Criteria
Notes
- Limiter no-op gate:
api/auth_flow_rate_limiter.go:74-78
- Build-mode env wiring:
auth/service.go:109
- Skip guard:
test/integration/framework/ratelimit.go (IsAuthFlowRateLimitingActive)
- Test:
test/integration/workflows/auth_flow_rate_limit_test.go
- Unit coverage (already exists):
api/auth_flow_rate_limiter_test.go
Summary
The OAuth/SAML auth-flow rate limiter (multi-scope: session / IP / user) has no end-to-end integration coverage.
TestAuthFlowRateLimiting_MultiScopeexists but skips against the integration server, so only the unit tests inapi/auth_flow_rate_limiter_test.goexercise the limiter. Add real integration coverage so the multi-scope 429 behavior is verified against a running server.Follow-up to #477 (which isolated/containerized the integration harness and corrected the test's skip guard so it skips cleanly instead of failing).
Why it currently can't run
build_mode=test(api/auth_flow_rate_limiter.go:74-78;TMI_BUILD_MODEis set from config byauth/service.go:109).build_mode=testfor the built-intmiOAuth provider that every other workflow test depends on.framework.IsAuthFlowRateLimitingActive, which treats a present-but-zeroX-RateLimit-Limitas "not enforcing").What needs to happen
build_mode, so it can be exercised while thetmiprovider is still available. Options to weigh:TestAuthFlowRateLimiting_MultiScopeasserts per-scope limits of 5 / 10 / 20, but the implementation now uses 100 across all scopes (api/auth_flow_rate_limiter.gocheckRateLimitWithIPLimit). The test's multi-different-limits premise no longer reflects the code.scripts/run-integration-tests.pyalready supportsTMI_TEST_ENABLE_RATE_LIMITING=trueand aTMI_TEST_WORKFLOW_RUNfilter; the new affordance should plug into that path so the test runs (and passes) when rate-limit coverage is requested, and continues to skip by default.Acceptance Criteria
tmiOAuth provider.TestAuthFlowRateLimiting_MultiScopeactually runs (not skips) under that mode and verifies session, IP, and user scope 429s +X-RateLimit-Scope/Retry-Afterheaders.make test-integration-pgrun is unaffected (rate limiting stays off by default; the test still skips cleanly there).Notes
api/auth_flow_rate_limiter.go:74-78auth/service.go:109test/integration/framework/ratelimit.go(IsAuthFlowRateLimitingActive)test/integration/workflows/auth_flow_rate_limit_test.goapi/auth_flow_rate_limiter_test.go