You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
There are several issues and discussions around the rate-limits crates.io enforces being problematic when publishing multiple crates within a short window. In addition, to the user impact there is also impact on the crates.io team fielding requests to increase rate-limits for particular users.
Proposed Solution
I'd like to propose a self-service option for users who hit the API rate-limits to temporarily increase their limits to finish their crate publishing.
When a user reaches a 429 (Too Many Requests) error while publishing their crates, crates.io will send an email to the user's verified email address with an expiring unique magic link.
The user should receive an error message in the body of the 429 response indicating they should check their email.
When visiting the magic link, the user is taken to a special page where we 1) verify the logged in user matches and 2) the client is being operated by a human (maybe with a privacy-maintaining captcha or forcing re-authentication with GitHub?)
After verification, the user's rate-limit is temporarily increased.
Abuse Mitigations
While this doesn't prevent abuse completely, it does not degrade our current state at all. Users will not have to wait for a crates.io team member to manually increase limits and team members will service less requests.
Some potential mitigations to abusing the self-service system include:
Monitoring for frequent self-services increases in API rate-limits. Determine if they are legitimate or abusive and act accordingly.
Implement a sort of cooldown window where a limited number of rate increases is allowed during a defined time window.
Implement a gradual backoff on the extensions. For example, the first extension bumps the limit to 50/hr, the second extension to 25/hr, the third to 10/hr, etc.
Implement 12 or 24 hour user-scoped maximum in addition to the hourly rate-limit.
Define additional limitations and restrictions for new GitHub accounts.
Once the Trusted Publishing implementation is completed we can also opt-in publish operations using trusted publishing to higher rate-limits automatically.
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
Uh oh!
There was an error while loading. Please reload this page.
-
Problem Statement
There are several issues and discussions around the rate-limits crates.io enforces being problematic when publishing multiple crates within a short window. In addition, to the user impact there is also impact on the crates.io team fielding requests to increase rate-limits for particular users.
Proposed Solution
I'd like to propose a self-service option for users who hit the API rate-limits to temporarily increase their limits to finish their crate publishing.
Abuse Mitigations
While this doesn't prevent abuse completely, it does not degrade our current state at all. Users will not have to wait for a crates.io team member to manually increase limits and team members will service less requests.
Some potential mitigations to abusing the self-service system include:
Beta Was this translation helpful? Give feedback.
All reactions