feat(config): add rate limit configuration for emails in toml #3206
Conversation
Pull Request Test Coverage Report for Build 13535289202Warning: This coverage report may be inaccurate.This pull request's base commit is no longer the HEAD commit of its target branch. This means it includes changes from outside the original pull request, including, potentially, unrelated coverage changes.
Details
💛 - Coveralls |
pkg/config/templates/config.toml
Outdated
| # Rate limit for unauthenticated requests per minute | ||
| rate_limit_anonymous_users = 30 | ||
| # Rate limit for token refresh requests per minute | ||
| rate_limit_token_refresh = 150 | ||
| # Rate limit for OTP generation requests per minute | ||
| rate_limit_otp = 30 | ||
| # Rate limit for verification requests per minute | ||
| rate_limit_verify = 30 | ||
|
|
There was a problem hiding this comment.
I think it's worth moving them to a new struct so it aligns with our dashboard. For eg.
[auth.rate_limits]
# Number of emails that can be sent per hour. Requires auth.email.smtp to be enabled.
emails_sent = 2
# Number of SMS messages that can be sent per hour. Requires auth.sms to be enabled.
sms_sent = 30
# Number of sessions that can be refreshed in a 5 minute interval per IP address.
token_refreshes = 150
# Number of OTP / Magic link verifications that can be made in a 5 minute interval per IP address.
token_verifications = 30
# Number of anonymous sign-ins that can be made per hour per IP address. Requires enable_anonymous_sign_ins = true.
anonymous_users = 30
# Number of sign up and sign-in requests that can be made in a 5 minute interval per IP address (excludes anonymous users).
sign_in_sign_ups = 30Btw it's really confusing to me why rate_limit_otp maps to number of sign-in and sign-ups https://github.com/supabase/supabase/blob/master/apps/studio/components/interfaces/Auth/RateLimits/RateLimits.tsx#L417
There was a problem hiding this comment.
Regrouped it into the same struct, had to update a bunch of test snapshot because of it tough 😅
…ration-for-emails-in-configtoml
| # email_sent = 2 | ||
| # Number of SMS messages that can be sent per hour. Requires auth.sms to be enabled. | ||
| # sms_sent = 30 |
There was a problem hiding this comment.
| # email_sent = 2 | |
| # Number of SMS messages that can be sent per hour. Requires auth.sms to be enabled. | |
| # sms_sent = 30 | |
| email_sent = 2 | |
| # Number of SMS messages that can be sent per hour. Requires auth.sms to be enabled. | |
| sms_sent = 30 |
It's a bit annoying that we can't leave these uncommented for consistency. Can update api to support configuring values < shared quota?
There was a problem hiding this comment.
I'm not sure how much of a side effect this could have looking at those lines on API side:
I think it might break some other behaviors.
| SignInSignUps *uint `toml:"sign_in_sign_ups"` | ||
| TokenVerifications *uint `toml:"token_verifications"` | ||
| EmailSent *uint `toml:"email_sent"` | ||
| SmsSent *uint `toml:"sms_sent"` |
There was a problem hiding this comment.
Any objection to make these non-pointers? We are setting default values for these fields https://github.com/supabase/cli/pull/3206/files#diff-ec116054b1a1deee8fc9bfb3c95419fcdae3c4d5a2c0b7a25c7c55ac1cfb135dR130-R142 so only the commented out EmailSent and SmsSent are nil pointers.
Allow to configure rate limits via the
config.tomlComes with the docs PR here: supabase/supabase#33830