is: Rate limit entity creation by method and token

Previously, Create<Entity>Request was rate-limited per the entityID
generated by the IDString interface, which was ineffective since each
new entity has an unique ID. This allowed unlimited device creation
attempts.

Now rate limiting is applied withou the entityID, properly restricting
create requests using full-method and auth-token strings as key.

Author: nicholaspcr

pkg/ttnpb/application_interfaces.go

@@ -74,6 +74,11 @@ func (m *CreateApplicationRequest) IDString() string {
 	return m.GetApplication().IDString()
 }
 
+// RateLimitKey is the implementation of the RateLimitKeyer interface.
+func (*CreateApplicationRequest) RateLimitKey() string {
+	return ""
+}
+
 func (m *UpdateApplicationRequest) IDString() string {
 	return m.GetApplication().IDString()
 }

pkg/ttnpb/application_ratelimit_test.go

@@ -0,0 +1,111 @@
+// Copyright © 2025 The Things Network Foundation, The Things Industries B.V.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package ttnpb_test
+
+import (
+	"testing"
+
+	"go.thethings.network/lorawan-stack/v3/pkg/ttnpb"
+)
+
+func TestCreateApplicationRequest_RateLimitKey(t *testing.T) {
+	t.Parallel()
+	tests := []struct {
+		name     string
+		req      *ttnpb.CreateApplicationRequest
+		expected string
+	}{
+		{
+			name: "valid request with user collaborator",
+			req: &ttnpb.CreateApplicationRequest{
+				Application: &ttnpb.Application{
+					Ids: &ttnpb.ApplicationIdentifiers{
+						ApplicationId: "test-app-1",
+					},
+				},
+				Collaborator: &ttnpb.OrganizationOrUserIdentifiers{
+					Ids: &ttnpb.OrganizationOrUserIdentifiers_UserIds{
+						UserIds: &ttnpb.UserIdentifiers{
+							UserId: "test-user",
+						},
+					},
+				},
+			},
+			expected: "",
+		},
+		{
+			name: "different app same user",
+			req: &ttnpb.CreateApplicationRequest{
+				Application: &ttnpb.Application{
+					Ids: &ttnpb.ApplicationIdentifiers{
+						ApplicationId: "test-app-2",
+					},
+				},
+				Collaborator: &ttnpb.OrganizationOrUserIdentifiers{
+					Ids: &ttnpb.OrganizationOrUserIdentifiers_UserIds{
+						UserIds: &ttnpb.UserIdentifiers{
+							UserId: "test-user",
+						},
+					},
+				},
+			},
+			expected: "",
+		},
+		{
+			name: "valid request with organization collaborator",
+			req: &ttnpb.CreateApplicationRequest{
+				Application: &ttnpb.Application{
+					Ids: &ttnpb.ApplicationIdentifiers{
+						ApplicationId: "test-app-3",
+					},
+				},
+				Collaborator: &ttnpb.OrganizationOrUserIdentifiers{
+					Ids: &ttnpb.OrganizationOrUserIdentifiers_OrganizationIds{
+						OrganizationIds: &ttnpb.OrganizationIdentifiers{
+							OrganizationId: "test-org",
+						},
+					},
+				},
+			},
+			expected: "",
+		},
+		{
+			name: "nil collaborator",
+			req: &ttnpb.CreateApplicationRequest{
+				Application: &ttnpb.Application{
+					Ids: &ttnpb.ApplicationIdentifiers{
+						ApplicationId: "test-app",
+					},
+				},
+			},
+			expected: "",
+		},
+		{
+			name:     "nil request",
+			req:      &ttnpb.CreateApplicationRequest{},
+			expected: "",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			t.Parallel()
+			got := tt.req.RateLimitKey()
+			if got != tt.expected {
+				t.Errorf("RateLimitKey() = %v, want %v", got, tt.expected)
+			}
+		})
+	}
+}

pkg/ttnpb/client_interfaces.go

@@ -58,6 +58,11 @@ func (m *CreateClientRequest) IDString() string {
 	return m.GetClient().IDString()
 }
 
+// RateLimitKey is the implementation of the RateLimitKeyer interface.
+func (*CreateClientRequest) RateLimitKey() string {
+	return ""
+}
+
 func (m *UpdateClientRequest) IDString() string {
 	return m.GetClient().IDString()
 }

pkg/ttnpb/client_ratelimit_test.go

@@ -0,0 +1,111 @@
+// Copyright © 2025 The Things Network Foundation, The Things Industries B.V.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package ttnpb_test
+
+import (
+	"testing"
+
+	"go.thethings.network/lorawan-stack/v3/pkg/ttnpb"
+)
+
+func TestCreateClientRequest_RateLimitKey(t *testing.T) {
+	t.Parallel()
+	tests := []struct {
+		name     string
+		req      *ttnpb.CreateClientRequest
+		expected string
+	}{
+		{
+			name: "valid request with user collaborator",
+			req: &ttnpb.CreateClientRequest{
+				Client: &ttnpb.Client{
+					Ids: &ttnpb.ClientIdentifiers{
+						ClientId: "test-client-1",
+					},
+				},
+				Collaborator: &ttnpb.OrganizationOrUserIdentifiers{
+					Ids: &ttnpb.OrganizationOrUserIdentifiers_UserIds{
+						UserIds: &ttnpb.UserIdentifiers{
+							UserId: "test-user",
+						},
+					},
+				},
+			},
+			expected: "",
+		},
+		{
+			name: "different client same user",
+			req: &ttnpb.CreateClientRequest{
+				Client: &ttnpb.Client{
+					Ids: &ttnpb.ClientIdentifiers{
+						ClientId: "test-client-2",
+					},
+				},
+				Collaborator: &ttnpb.OrganizationOrUserIdentifiers{
+					Ids: &ttnpb.OrganizationOrUserIdentifiers_UserIds{
+						UserIds: &ttnpb.UserIdentifiers{
+							UserId: "test-user",
+						},
+					},
+				},
+			},
+			expected: "",
+		},
+		{
+			name: "valid request with organization collaborator",
+			req: &ttnpb.CreateClientRequest{
+				Client: &ttnpb.Client{
+					Ids: &ttnpb.ClientIdentifiers{
+						ClientId: "test-client-3",
+					},
+				},
+				Collaborator: &ttnpb.OrganizationOrUserIdentifiers{
+					Ids: &ttnpb.OrganizationOrUserIdentifiers_OrganizationIds{
+						OrganizationIds: &ttnpb.OrganizationIdentifiers{
+							OrganizationId: "test-org",
+						},
+					},
+				},
+			},
+			expected: "",
+		},
+		{
+			name: "nil collaborator",
+			req: &ttnpb.CreateClientRequest{
+				Client: &ttnpb.Client{
+					Ids: &ttnpb.ClientIdentifiers{
+						ClientId: "test-client",
+					},
+				},
+			},
+			expected: "",
+		},
+		{
+			name:     "nil request",
+			req:      &ttnpb.CreateClientRequest{},
+			expected: "",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			t.Parallel()
+			got := tt.req.RateLimitKey()
+			if got != tt.expected {
+				t.Errorf("RateLimitKey() = %v, want %v", got, tt.expected)
+			}
+		})
+	}
+}

pkg/ttnpb/end_device.go

@@ -2990,6 +2990,11 @@ func (m *EndDevice) IDString() string {
 	return m.GetIds().IDString()
 }
 
+// RateLimitKey is the Implementation of the RateLimitKeyer interface.
+func (*CreateEndDeviceRequest) RateLimitKey() string {
+	return ""
+}
+
 // All ExtractRequestFields methods are used by github.com/grpc-ecosystem/go-grpc-middleware/tags.
 
 func (m *ResetAndGetEndDeviceRequest) ExtractRequestFields(dst map[string]interface{}) {

pkg/ttnpb/end_device_ratelimit_test.go

@@ -0,0 +1,74 @@
+// Copyright © 2025 The Things Network Foundation, The Things Industries B.V.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package ttnpb_test
+
+import (
+	"testing"
+
+	"go.thethings.network/lorawan-stack/v3/pkg/ttnpb"
+)
+
+func TestCreateEndDeviceRequest_RateLimitKey(t *testing.T) {
+	t.Parallel()
+	tests := []struct {
+		name     string
+		req      *ttnpb.CreateEndDeviceRequest
+		expected string
+	}{
+		{
+			name: "valid request",
+			req: &ttnpb.CreateEndDeviceRequest{
+				EndDevice: &ttnpb.EndDevice{
+					Ids: &ttnpb.EndDeviceIdentifiers{
+						ApplicationIds: &ttnpb.ApplicationIdentifiers{
+							ApplicationId: "test-app",
+						},
+						DeviceId: "test-device-1",
+					},
+				},
+			},
+			expected: "",
+		},
+		{
+			name: "different device same app",
+			req: &ttnpb.CreateEndDeviceRequest{
+				EndDevice: &ttnpb.EndDevice{
+					Ids: &ttnpb.EndDeviceIdentifiers{
+						ApplicationIds: &ttnpb.ApplicationIdentifiers{
+							ApplicationId: "test-app",
+						},
+						DeviceId: "test-device-2",
+					},
+				},
+			},
+			expected: "",
+		},
+		{
+			name:     "nil request",
+			req:      &ttnpb.CreateEndDeviceRequest{},
+			expected: "",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			t.Parallel()
+			got := tt.req.RateLimitKey()
+			if got != tt.expected {
+				t.Errorf("RateLimitKey() = %v, want %v", got, tt.expected)
+			}
+		})
+	}
+}

pkg/ttnpb/gateway_interfaces.go

@@ -74,6 +74,11 @@ func (m *CreateGatewayRequest) IDString() string {
 	return m.GetGateway().IDString()
 }
 
+// RateLimitKey is the implementation of the RateLimitKeyer interface.
+func (*CreateGatewayRequest) RateLimitKey() string {
+	return ""
+}
+
 func (m *UpdateGatewayRequest) IDString() string {
 	return m.GetGateway().IDString()
 }