feat(discord): add exponential backoff retry policy for rate limits#302
feat(discord): add exponential backoff retry policy for rate limits#302Shevilll wants to merge 5 commits into
Conversation
…g#268) The GitHub OAuth verification flow did not generate or validate the standard OAuth `state` parameter (RFC 6749 Section 10.12). The flow relied solely on a `session` id in the redirect URI to bind the Discord verification request to the GitHub callback, leaving it open to login CSRF / session fixation: an attacker could trick a victim into completing a callback that links the victim's Discord account to the attacker's GitHub account. Generate a cryptographically-random state with secrets.token_urlsafe(32) bound to the verification session, thread it through the OAuth authorize URL, and validate it in the callback with a constant-time comparison, rejecting any request with a missing or mismatched state. - verification.py: create_verification_session now returns (session_id, oauth_state) and stores the state with the session; add validate_oauth_state() for constant-time validation. - cogs.py: pass the generated state to login_with_github in both the /verify_github command and the onboarding flow. - auth.py: accept the state query param in the callback and reject the request when validation fails.
Expiry is validated through the database query, so the unpacked expiry_time is unused; underscore-prefix it for consistency with the rest of the module.
|
Warning Review limit reached
More reviews will be available in 54 minutes and 34 seconds. Learn how PR review limits work. Your organization has used up its prepaid credits, and credit purchases are no longer available. Enable the review add-on in the billing tab to keep reviews running — you're only billed for reviews past your plan's rate limits ($0.25/file). ⌛ How to resolve this issue?After more reviews become available, a review can be triggered using the To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based credits. 🚦 How do rate limits work?CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability. For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window. Please see our Fair Usage Limits Policy for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (7)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
This Pull Request introduces robust rate-limiting retry policies for the Discord API to address Issue #284.
Highlights:
tests/test_discord_retry.pycovering various rate-limiting scenarios with a 100% pass rate.