Skip to content

feat(discord): add exponential backoff retry policy for rate limits#302

Open
Shevilll wants to merge 5 commits into
AOSSIE-Org:mainfrom
Shevilll:fix/discord-rate-limiting-backoff
Open

feat(discord): add exponential backoff retry policy for rate limits#302
Shevilll wants to merge 5 commits into
AOSSIE-Org:mainfrom
Shevilll:fix/discord-rate-limiting-backoff

Conversation

@Shevilll

Copy link
Copy Markdown

This Pull Request introduces robust rate-limiting retry policies for the Discord API to address Issue #284.

Highlights:

  • Asynchronous Exponential Backoff Wrapper (with Full Jitter): Implemented a robust backoff strategy to handle Discord rate limits gracefully, preventing stampeding herds with randomized full jitter.
  • Custom Retry Decorators: Created reusable, asynchronous decorators to easily wrap Discord API calls with exponential backoff and rate-limiting retry logic.
  • Integration into Bot Command Trees: Wired the retry mechanics into the core Discord bot command trees to ensure seamless operation under high API traffic.
  • Robust pytest Suite: Added a comprehensive unit test suite in tests/test_discord_retry.py covering various rate-limiting scenarios with a 100% pass rate.

Shevilll added 3 commits June 20, 2026 14:21
…g#268)

The GitHub OAuth verification flow did not generate or validate the
standard OAuth `state` parameter (RFC 6749 Section 10.12). The flow
relied solely on a `session` id in the redirect URI to bind the Discord
verification request to the GitHub callback, leaving it open to login
CSRF / session fixation: an attacker could trick a victim into completing
a callback that links the victim's Discord account to the attacker's
GitHub account.

Generate a cryptographically-random state with secrets.token_urlsafe(32)
bound to the verification session, thread it through the OAuth authorize
URL, and validate it in the callback with a constant-time comparison,
rejecting any request with a missing or mismatched state.

- verification.py: create_verification_session now returns
  (session_id, oauth_state) and stores the state with the session;
  add validate_oauth_state() for constant-time validation.
- cogs.py: pass the generated state to login_with_github in both the
  /verify_github command and the onboarding flow.
- auth.py: accept the state query param in the callback and reject the
  request when validation fails.
Expiry is validated through the database query, so the unpacked
expiry_time is unused; underscore-prefix it for consistency with the
rest of the module.
@coderabbitai

coderabbitai Bot commented Jun 25, 2026

Copy link
Copy Markdown
Contributor

Warning

Review limit reached

@Shevilll, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 54 minutes and 34 seconds. Learn how PR review limits work.

Your organization has used up its prepaid credits, and credit purchases are no longer available. Enable the review add-on in the billing tab to keep reviews running — you're only billed for reviews past your plan's rate limits ($0.25/file).

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based credits.

🚦 How do rate limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 2efaee59-6d4e-4ccc-8d92-a79237032561

📥 Commits

Reviewing files that changed from the base of the PR and between db81871 and 656d8b7.

📒 Files selected for processing (7)
  • backend/app/api/v1/auth.py
  • backend/app/services/auth/verification.py
  • backend/integrations/discord/bot.py
  • backend/integrations/discord/cogs.py
  • backend/integrations/discord/retry.py
  • tests/test_discord_retry.py
  • tests/test_oauth_verification.py
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant