chore: limit solution to oauth opaque tokens

Author: wobsoriano

…_tests__/machineTokenRateLimiter.test.ts …/__tests__/oauthTokenRateLimiter.test.tspackages/backend/src/tokens/__tests__/machineTokenRateLimiter.test.ts renamed to packages/backend/src/tokens/__tests__/oauthTokenRateLimiter.test.ts packages/backend/src/tokens/__tests__/machineTokenRateLimiter.test.ts renamed to packages/backend/src/tokens/__tests__/oauthTokenRateLimiter.test.ts

@@ -1,79 +1,79 @@
 import { afterEach, describe, expect, it, vi } from 'vitest';
 
-import { checkMachineTokenRateLimit, resetMachineTokenRateLimiter } from '../machineTokenRateLimiter';
+import { checkOAuthTokenRateLimit, resetOAuthTokenRateLimiter } from '../oauthTokenRateLimiter';
 
 afterEach(() => {
-  resetMachineTokenRateLimiter();
+  resetOAuthTokenRateLimiter();
   vi.useRealTimers();
 });
 
-describe('checkMachineTokenRateLimit', () => {
+describe('checkOAuthTokenRateLimit', () => {
   it('allows the first request from an IP', () => {
-    expect(checkMachineTokenRateLimit('1.2.3.4')).toBe(true);
+    expect(checkOAuthTokenRateLimit('1.2.3.4')).toBe(true);
   });
 
   it('allows up to MAX_BURST requests in a burst', () => {
     const ip = '10.0.0.1';
     for (let i = 0; i < 20; i++) {
-      expect(checkMachineTokenRateLimit(ip), `request ${i + 1} should be allowed`).toBe(true);
+      expect(checkOAuthTokenRateLimit(ip), `request ${i + 1} should be allowed`).toBe(true);
     }
   });
 
   it('blocks requests that exceed MAX_BURST', () => {
     const ip = '10.0.0.2';
     for (let i = 0; i < 20; i++) {
-      checkMachineTokenRateLimit(ip);
+      checkOAuthTokenRateLimit(ip);
     }
-    expect(checkMachineTokenRateLimit(ip)).toBe(false);
+    expect(checkOAuthTokenRateLimit(ip)).toBe(false);
   });
 
   it('allows requests again after tokens refill', () => {
     vi.useFakeTimers();
     const ip = '10.0.0.3';
     for (let i = 0; i < 20; i++) {
-      checkMachineTokenRateLimit(ip);
+      checkOAuthTokenRateLimit(ip);
     }
-    expect(checkMachineTokenRateLimit(ip)).toBe(false);
+    expect(checkOAuthTokenRateLimit(ip)).toBe(false);
 
     // Advance 2 seconds: at 10 tokens/s, 20 new tokens should be available
     vi.advanceTimersByTime(2000);
-    expect(checkMachineTokenRateLimit(ip)).toBe(true);
+    expect(checkOAuthTokenRateLimit(ip)).toBe(true);
   });
 
   it('tracks different IPs independently', () => {
     const ipA = '192.168.1.1';
     const ipB = '192.168.1.2';
     for (let i = 0; i < 20; i++) {
-      checkMachineTokenRateLimit(ipA);
+      checkOAuthTokenRateLimit(ipA);
     }
-    expect(checkMachineTokenRateLimit(ipA)).toBe(false);
-    expect(checkMachineTokenRateLimit(ipB)).toBe(true);
+    expect(checkOAuthTokenRateLimit(ipA)).toBe(false);
+    expect(checkOAuthTokenRateLimit(ipB)).toBe(true);
   });
 
   it('treats the unknown sentinel as a single IP', () => {
     for (let i = 0; i < 20; i++) {
-      checkMachineTokenRateLimit('unknown');
+      checkOAuthTokenRateLimit('unknown');
     }
-    expect(checkMachineTokenRateLimit('unknown')).toBe(false);
+    expect(checkOAuthTokenRateLimit('unknown')).toBe(false);
   });
 
   it('evicts the oldest bucket and allows a new IP when MAX_BUCKETS is reached', () => {
     // Fill up to MAX_BUCKETS (10 000) unique IPs
     for (let i = 0; i < 10_000; i++) {
-      checkMachineTokenRateLimit(`10.${Math.floor(i / 65536)}.${Math.floor((i % 65536) / 256)}.${i % 256}`);
+      checkOAuthTokenRateLimit(`10.${Math.floor(i / 65536)}.${Math.floor((i % 65536) / 256)}.${i % 256}`);
     }
     // The 10 001st IP triggers eviction of the oldest entry; the new IP gets a fresh bucket
     const freshIp = '172.16.0.1';
-    expect(checkMachineTokenRateLimit(freshIp)).toBe(true);
+    expect(checkOAuthTokenRateLimit(freshIp)).toBe(true);
   });
 
-  it('allows a previously blocked IP after resetMachineTokenRateLimiter', () => {
+  it('allows a previously blocked IP after resetOAuthTokenRateLimiter', () => {
     const ip = '5.5.5.5';
     for (let i = 0; i < 21; i++) {
-      checkMachineTokenRateLimit(ip);
+      checkOAuthTokenRateLimit(ip);
     }
-    expect(checkMachineTokenRateLimit(ip)).toBe(false);
-    resetMachineTokenRateLimiter();
-    expect(checkMachineTokenRateLimit(ip)).toBe(true);
+    expect(checkOAuthTokenRateLimit(ip)).toBe(false);
+    resetOAuthTokenRateLimiter();
+    expect(checkOAuthTokenRateLimit(ip)).toBe(true);
   });
 });

packages/backend/src/tokens/__tests__/request.test.ts

@@ -2,7 +2,7 @@ import { http, HttpResponse } from 'msw';
 import { afterEach, beforeEach, describe, expect, it, test, vi } from 'vitest';
 
 import { MachineTokenVerificationErrorCode, TokenVerificationErrorReason } from '../../errors';
-import { checkMachineTokenRateLimit, resetMachineTokenRateLimiter } from '../machineTokenRateLimiter';
+import { checkOAuthTokenRateLimit, resetOAuthTokenRateLimiter } from '../oauthTokenRateLimiter';
 import {
   mockExpiredJwt,
   mockInvalidSignatureJwt,
@@ -1766,12 +1766,12 @@ describe('tokens.authenticateRequest(options)', () => {
 
     describe('Rate limiting', () => {
       afterEach(() => {
-        resetMachineTokenRateLimiter();
+        resetOAuthTokenRateLimiter();
       });
 
       const exhaustBucket = (ip: string) => {
         for (let i = 0; i < 20; i++) {
-          checkMachineTokenRateLimit(ip);
+          checkOAuthTokenRateLimit(ip);
         }
       };
 
@@ -1789,7 +1789,7 @@ describe('tokens.authenticateRequest(options)', () => {
         );
         expect(rateLimited).toBeMachineUnauthenticated({
           tokenType: 'oauth_token',
-          reason: AuthErrorReason.MachineTokenRateLimit,
+          reason: AuthErrorReason.OAuthTokenRateLimit,
           message: '',
         });
       });
@@ -1813,7 +1813,7 @@ describe('tokens.authenticateRequest(options)', () => {
         );
         expect(rateLimited).toBeMachineUnauthenticated({
           tokenType: 'oauth_token',
-          reason: AuthErrorReason.MachineTokenRateLimit,
+          reason: AuthErrorReason.OAuthTokenRateLimit,
           message: '',
         });
         // x-forwarded-for IP is untouched: a request using only that header must be allowed
@@ -1841,7 +1841,7 @@ describe('tokens.authenticateRequest(options)', () => {
         );
         expect(rateLimited).toBeMachineUnauthenticated({
           tokenType: 'oauth_token',
-          reason: AuthErrorReason.MachineTokenRateLimit,
+          reason: AuthErrorReason.OAuthTokenRateLimit,
           message: '',
         });
       });
@@ -1863,7 +1863,7 @@ describe('tokens.authenticateRequest(options)', () => {
         );
         expect(rateLimited).toBeMachineUnauthenticated({
           tokenType: 'oauth_token',
-          reason: AuthErrorReason.MachineTokenRateLimit,
+          reason: AuthErrorReason.OAuthTokenRateLimit,
           message: '',
         });
       });
@@ -1899,7 +1899,7 @@ describe('tokens.authenticateRequest(options)', () => {
           mockRequest({ authorization: `Bearer ${oauthJwt}`, 'cf-connecting-ip': ip }),
           mockOptions({ acceptsToken: 'oauth_token' }),
         );
-        expect(result.reason).not.toBe(AuthErrorReason.MachineTokenRateLimit);
+        expect(result.reason).not.toBe(AuthErrorReason.OAuthTokenRateLimit);
         vi.useRealTimers();
       });
 
@@ -1917,9 +1917,39 @@ describe('tokens.authenticateRequest(options)', () => {
           mockRequest({ authorization: `Bearer ${m2mJwt}`, 'cf-connecting-ip': ip }),
           mockOptions({ acceptsToken: 'm2m_token' }),
         );
-        expect(result.reason).not.toBe(AuthErrorReason.MachineTokenRateLimit);
+        expect(result.reason).not.toBe(AuthErrorReason.OAuthTokenRateLimit);
         vi.useRealTimers();
       });
+
+      test('opaque api_key tokens bypass the rate limiter', async () => {
+        server.use(
+          http.post(mockMachineAuthResponses.api_key.endpoint, () =>
+            HttpResponse.json(mockVerificationResults.api_key),
+          ),
+        );
+        const ip = '203.0.113.4';
+        exhaustBucket(ip);
+        const result = await authenticateRequest(
+          mockRequest({ authorization: `Bearer ${mockTokens.api_key}`, 'cf-connecting-ip': ip }),
+          mockOptions({ acceptsToken: 'api_key' }),
+        );
+        expect(result.reason).not.toBe(AuthErrorReason.OAuthTokenRateLimit);
+      });
+
+      test('opaque m2m tokens bypass the rate limiter', async () => {
+        server.use(
+          http.post(mockMachineAuthResponses.m2m_token.endpoint, () =>
+            HttpResponse.json(mockVerificationResults.m2m_token),
+          ),
+        );
+        const ip = '203.0.113.5';
+        exhaustBucket(ip);
+        const result = await authenticateRequest(
+          mockRequest({ authorization: `Bearer ${mockTokens.m2m_token}`, 'cf-connecting-ip': ip }),
+          mockOptions({ acceptsToken: 'm2m_token' }),
+        );
+        expect(result.reason).not.toBe(AuthErrorReason.OAuthTokenRateLimit);
+      });
     });
 
     describe('Token Location Validation', () => {

packages/backend/src/tokens/authStatus.ts

@@ -118,7 +118,7 @@ export const AuthErrorReason = {
   SessionTokenWithoutClientUAT: 'session-token-but-no-client-uat',
   ActiveOrganizationMismatch: 'active-organization-mismatch',
   TokenTypeMismatch: 'token-type-mismatch',
-  MachineTokenRateLimit: 'machine-token-rate-limit',
+  OAuthTokenRateLimit: 'oauth-token-rate-limit',
   UnexpectedError: 'unexpected-error',
 } as const;
 

packages/backend/src/tokens/machine.ts

@@ -90,6 +90,10 @@ export function isMachineTokenByPrefix(token: string): boolean {
   return MACHINE_TOKEN_PREFIXES.some(prefix => token.startsWith(prefix));
 }
 
+export function isOAuthTokenByPrefix(token: string): boolean {
+  return token.startsWith(OAUTH_TOKEN_PREFIX);
+}
+
 /**
  * Checks if a token is a machine token by looking at its prefix or if it's an OAuth/M2M JWT.
  *

…nd/src/tokens/machineTokenRateLimiter.ts …kend/src/tokens/oauthTokenRateLimiter.tspackages/backend/src/tokens/machineTokenRateLimiter.ts renamed to packages/backend/src/tokens/oauthTokenRateLimiter.ts packages/backend/src/tokens/machineTokenRateLimiter.ts renamed to packages/backend/src/tokens/oauthTokenRateLimiter.ts

@@ -5,7 +5,7 @@ const MAX_BUCKETS = 10_000;
 type Bucket = { tokens: number; lastRefill: number };
 const buckets = new Map<string, Bucket>();
 
-export function checkMachineTokenRateLimit(ip: string): boolean {
+export function checkOAuthTokenRateLimit(ip: string): boolean {
   if (buckets.size >= MAX_BUCKETS) {
     // Evict the oldest entry rather than clearing all buckets to prevent an attacker
     // from neutralizing rate limits by forcing key churn across many distinct IPs.
@@ -27,6 +27,6 @@ export function checkMachineTokenRateLimit(ip: string): boolean {
   return true;
 }
 
-export function resetMachineTokenRateLimiter(): void {
+export function resetOAuthTokenRateLimiter(): void {
   buckets.clear();
 }

packages/backend/src/tokens/request.ts

@@ -18,10 +18,10 @@ import {
   getMachineTokenType,
   isMachineJwt,
   isMachineToken,
-  isMachineTokenByPrefix,
+  isOAuthTokenByPrefix,
   isTokenTypeAccepted,
 } from './machine';
-import { checkMachineTokenRateLimit } from './machineTokenRateLimiter';
+import { checkOAuthTokenRateLimit } from './oauthTokenRateLimiter';
 import { OrganizationMatcher } from './organizationMatcher';
 import type { MachineTokenType, SessionTokenType } from './tokenTypes';
 import { TokenType } from './tokenTypes';
@@ -821,11 +821,11 @@ export const authenticateRequest: AuthenticateRequest = (async (
       return mismatchState;
     }
 
-    if (isMachineTokenByPrefix(tokenInHeader) && !checkMachineTokenRateLimit(extractCallerIp(request))) {
+    if (isOAuthTokenByPrefix(tokenInHeader) && !checkOAuthTokenRateLimit(extractCallerIp(request))) {
       return signedOut({
         tokenType: parsedTokenType,
         authenticateContext,
-        reason: AuthErrorReason.MachineTokenRateLimit,
+        reason: AuthErrorReason.OAuthTokenRateLimit,
         message: '',
       });
     }
@@ -857,11 +857,11 @@ export const authenticateRequest: AuthenticateRequest = (async (
         return mismatchState;
       }
 
-      if (isMachineTokenByPrefix(tokenInHeader) && !checkMachineTokenRateLimit(extractCallerIp(request))) {
+      if (isOAuthTokenByPrefix(tokenInHeader) && !checkOAuthTokenRateLimit(extractCallerIp(request))) {
         return signedOut({
           tokenType: parsedTokenType,
           authenticateContext,
-          reason: AuthErrorReason.MachineTokenRateLimit,
+          reason: AuthErrorReason.OAuthTokenRateLimit,
           message: '',
         });
       }