Skip to content

fix(auth): make Redis rate-limit counters atomic#9

Merged
Chat2DB-Pro merged 1 commit into
OtterMind:mainfrom
oopswoo3:fix/auth-redis-rate-limit-atomic
Jun 18, 2026
Merged

fix(auth): make Redis rate-limit counters atomic#9
Chat2DB-Pro merged 1 commit into
OtterMind:mainfrom
oopswoo3:fix/auth-redis-rate-limit-atomic

Conversation

@oopswoo3

Copy link
Copy Markdown
Contributor

Summary

  • RateLimiterService 的 Redis 路径改为 Lua 脚本原子执行 INCR + 首次 PEXPIRE
  • 覆盖 checkRate(OTP/敏感操作限流)与 recordFailure(登录失败计数)两条路径
  • 补充 Redis 路径单测,断言不再使用分立的 increment + expire 调用

问题(为何必须修)

原先分两步:

redisTemplate.opsForValue().increment(key);
redisTemplate.expire(key, Duration.ofSeconds(...));

若在 EXPIRE 前进程崩溃,Redis 会留下无 TTL 的计数 key,窗口永不重置 → 用户永久 429;失败计数同理。同仓库 EdgeFunctionRateLimiter 已用相同 Lua 模式修复并附有注释说明。

Test plan

  • mvn test -Dtest=RateLimiterServiceTest(6 tests passed)
  • 新测例验证 execute(script) 被调用且 opsForValue().increment 不再用于限流计数

Run INCR and first-hit PEXPIRE in one Lua script for auth rate limits and
failed-login counters, matching EdgeFunctionRateLimiter and preventing
TTL-less keys that never reset.
@Chat2DB-Pro Chat2DB-Pro merged commit 6f6a602 into OtterMind:main Jun 18, 2026
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants