Skip to content

download-token 429 can block an entitled customer (tension with never-block-paying-customer invariant) #177

Description

@kilbot

Found by adversarial review of #173 (merged).

Finding (medium)

POST /api/account/downloads/token returns a hard 429 on over-quota (30/10min per customer) before checking entitlement. A legit customer can be locked out for the window by rapid clicks or a frontend retry loop — contradicting the stated 'rate limiting never blocks a paying customer' invariant (ADR 0011). Note: #173 ships a test that asserts the 429, so this is currently a blessed behavior — flagging the tension for an explicit decision.

Options

  • Make the limiter advisory for authenticated, entitled customers: log/alert on over-quota but still issue the token (the download itself re-checks entitlement and isn't rate-limited, so the protection value is low).
  • Or keep the hard 429 (stops a compromised session minting tokens in a loop) and accept the edge case.

Context

src/app/api/account/downloads/token/route.ts (limiter ~line 42).

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions