Rate limit device creation by application ID instead of device ID

[nicholaspcr]

Previously, CreateEndDeviceRequest was rate-limited per device ID, which was ineffective since each new device has a unique ID. This allowed unlimited device creation attempts per application.

Now rate limiting is applied per application ID, properly restricting the rate of device creation requests at the application level.

Summary

This fixes a reported behavior where the rate-limiter does not work as intented

Changes

• Update the key used in the rate-limit operation associated with end-device creation

Testing

Steps

Unit tests

Regressions

This is a bug fix

Checklist

• Scope: The referenced issue is addressed, there are no unrelated changes.
• Compatibility: The changes are backwards compatible with existing API, storage, configuration and CLI, according to the compatibility commitments in README.md for the chosen target branch.
• Documentation: Relevant documentation is added or updated.
• Testing: The steps/process to test this feature are clearly explained including testing for regressions.
• Infrastructure: If infrastructural changes (e.g., new RPC, configuration) are needed, a separate issue is created in the infrastructural repositories.
• Changelog: Significant features, behavior changes, deprecations and fixes are added to CHANGELOG.md.
• Commits: Commit messages follow guidelines in CONTRIBUTING.md, there are no fixup commits left.

[happyRip]

LGTM, but fix linter issues.

[nicholaspcr]

@happyRip I ended up looking for other places where this could happen. As far as I know only requests that implement the IDString interface have this problem.

I ended up updating these requests to use the Collaborator as part of the key, so the limit is applied in a per collaborator basis.

I ended up using only the full-method and the auth-token as a key.

lorawan-stack/pkg/ratelimit/resource.go

Lines 93 to 100 in 3d0d2f1

	key := fmt.Sprintf("grpc:method:%s:%s", fullMethod, grpcEntityFromRequest(ctx, req))
	if authTokenID := authTokenID(ctx); authTokenID != unauthenticated {
	key = fmt.Sprintf("%s:token:%s", key, authTokenID)
	}
	return &resource{
	key: key,
	classes: []string{fmt.Sprintf("grpc:method:%s", fullMethod), "grpc:method"},
	}

This means that on creation, grpcEntityFromRequest returns an empty string.