Found by adversarial review of #173 (merged).
Finding (medium)
POST /api/account/downloads/token returns a hard 429 on over-quota (30/10min per customer) before checking entitlement. A legit customer can be locked out for the window by rapid clicks or a frontend retry loop — contradicting the stated 'rate limiting never blocks a paying customer' invariant (ADR 0011). Note: #173 ships a test that asserts the 429, so this is currently a blessed behavior — flagging the tension for an explicit decision.
Options
- Make the limiter advisory for authenticated, entitled customers: log/alert on over-quota but still issue the token (the download itself re-checks entitlement and isn't rate-limited, so the protection value is low).
- Or keep the hard 429 (stops a compromised session minting tokens in a loop) and accept the edge case.
Context
src/app/api/account/downloads/token/route.ts (limiter ~line 42).
Found by adversarial review of #173 (merged).
Finding (medium)
POST /api/account/downloads/tokenreturns a hard 429 on over-quota (30/10min per customer) before checking entitlement. A legit customer can be locked out for the window by rapid clicks or a frontend retry loop — contradicting the stated 'rate limiting never blocks a paying customer' invariant (ADR 0011). Note: #173 ships a test that asserts the 429, so this is currently a blessed behavior — flagging the tension for an explicit decision.Options
Context
src/app/api/account/downloads/token/route.ts(limiter ~line 42).