chore: address coderabbit comments

wobsoriano · wobsoriano · commit 2a1b3a8dcbd4 · 2026-05-11T14:51:26.000-07:00
diff --git a/packages/backend/src/tokens/__tests__/machineTokenRateLimiter.test.ts b/packages/backend/src/tokens/__tests__/machineTokenRateLimiter.test.ts
@@ -57,12 +57,12 @@ describe('checkMachineTokenRateLimit', () => {
     expect(checkMachineTokenRateLimit('unknown')).toBe(false);
   });
 
-  it('clears all buckets and allows requests again when MAX_BUCKETS is reached', () => {
+  it('evicts the oldest bucket and allows a new IP when MAX_BUCKETS is reached', () => {
     // Fill up to MAX_BUCKETS (10 000) unique IPs
     for (let i = 0; i < 10_000; i++) {
       checkMachineTokenRateLimit(`10.${Math.floor(i / 65536)}.${Math.floor((i % 65536) / 256)}.${i % 256}`);
     }
-    // The 10 001st IP triggers the clear; the new IP gets a fresh bucket
+    // The 10 001st IP triggers eviction of the oldest entry; the new IP gets a fresh bucket
     const freshIp = '172.16.0.1';
     expect(checkMachineTokenRateLimit(freshIp)).toBe(true);
   });
diff --git a/packages/backend/src/tokens/machineTokenRateLimiter.ts b/packages/backend/src/tokens/machineTokenRateLimiter.ts
@@ -7,7 +7,12 @@ const buckets = new Map<string, Bucket>();
 
 export function checkMachineTokenRateLimit(ip: string): boolean {
   if (buckets.size >= MAX_BUCKETS) {
-    buckets.clear();
+    // Evict the oldest entry rather than clearing all buckets to prevent an attacker
+    // from neutralizing rate limits by forcing key churn across many distinct IPs.
+    const oldest = buckets.keys().next().value;
+    if (oldest !== undefined) {
+      buckets.delete(oldest);
+    }
   }
   const now = Date.now();
   const existing = buckets.get(ip);
diff --git a/packages/backend/src/tokens/request.ts b/packages/backend/src/tokens/request.ts
@@ -28,6 +28,9 @@ import { TokenType } from './tokenTypes';
 import type { AuthenticateRequestOptions } from './types';
 import { verifyMachineAuthToken, verifyToken } from './verify';
 
+// NOTE: IP headers like x-forwarded-for can be spoofed by clients not behind a trusted proxy.
+// cf-connecting-ip (set by Cloudflare) and x-real-ip (set by Nginx) are more reliable when present.
+// The rate limiter is defense-in-depth against BAPI quota exhaustion, not a security boundary.
 function extractCallerIp(request: Request): string {
   const cfConnectingIp = request.headers.get(constants.Headers.CfConnectingIp);
   if (cfConnectingIp) {
