Page MenuHomePhabricator
Create Task
Maniphest T399632

Add a rate limiting class to session JWTs
Closed, ResolvedPublic
Actions

Description

Using the mechanism from T399198: Define standard JWT session data for supported session types, we should add rate limiting information to every session JWT (to be used by T405544: Add support for rate limiting rest gateway routes to api-gateway helm chart). The current OAuth 2 JWTs use an integer "number of requests per hour" value, but that's very inflexible, so we'll probably add some sort of rate limiting class instead, and use configuration (puppet, I guess) to translate that to specific numbers in Varnish / Envoy.

This task is to define where that rate limiting class should come from.

Details

Related Changes in Gerrit:
SubjectRepoBranchLines +/-
Add higher traffic rate limiting class for botsmediawiki/extensions/WikimediaEventsmaster+19 -3
Indicate owner-only status to OAuth 2 access token claims hooksmediawiki/extensions/OAuthmaster+65 -4
Customize query in gerrit

Related Objects
Search...

Event Timeline

Tgr created this task.Jul 15 2025, 8:33 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJul 15 2025, 8:33 PM
Tgr added a parent task: T398815: WE5.1.2 Verifiable MediaWiki sessions.Jul 15 2025, 8:33 PM
Tgr mentioned this in T399198: Define standard JWT session data for supported session types.Jul 15 2025, 8:56 PM
JTweed-WMF moved this task from Inbox to WE5.1.1 on the FY2025-26 KR 5.1 board.Jul 17 2025, 12:34 PM
JTweed-WMF moved this task from WE5.1.1 to WE5.1.2 on the FY2025-26 KR 5.1 board.Jul 24 2025, 8:58 AM
JTweed-WMF moved this task from Inbox, needs triage to Needs refinement on the MediaWiki-Platform-Team board.Jul 28 2025, 3:00 PM
Tgr added a comment.Aug 3 2025, 12:50 PM

T399057: Introduce allowlists into the CDN (text) filtering has some discussion of planned rate limiting classes.

gerritbot added a comment.Aug 3 2025, 12:53 PM

Change #1175247 had a related patch set uploaded (by Gergő Tisza; author: Gergő Tisza):

[mediawiki/extensions/WikimediaEvents@master] [POC] Add higher traffic rate limiting class for noratelimit users

https://gerrit.wikimedia.org/r/1175247

gerritbot added a project: Patch-For-Review.Aug 3 2025, 12:53 PM
Tgr added subscribers: JTweed-WMF, daniel.Sep 25 2025, 11:54 AM

@JTweed-WMF @daniel any thoughts on what the specific classes should be?

Tgr updated the task description. (Show Details)Sep 25 2025, 11:55 AM
JTweed-WMF claimed this task.Sep 25 2025, 2:27 PM
pmiazga mentioned this in T405578: api-gateway helm chart: use JWT to determine rate limit for rest routes.Oct 6 2025, 9:15 AM
daniel added a comment.Nov 3 2025, 10:06 AM
In T399632#11213910, @Tgr wrote:

@JTweed-WMF @daniel any thoughts on what the specific classes should be?

We defined a couple of classes for the initial rool-out of rate limiting in Envoy, but they are basically what happens if we *don't* have the rate limit class in the jwt. The preliminary limit classes are:

  • no-limit: internal/testing use, disables rate limit entirely
  • anon: no user identity, uses client IP instead
  • cookie-user: user name from unverified cookie
  • jwt-user: user identity from validated JWT (in progress)

Classes that seem useful to me that we might want in a JWT generated by mediawiki include:

  • mw-autoconfirmed
  • mw-community-bot

The problem is that MW knows these things per wiki, but we'd need a global class. This needs to be integrated with centralauth somehow.

We could also have classes for app tokens:

  • wmf-wikipedia-app

We could also have classes assigned at the edge, in a header, for requests without a jwt:

  • wmf-cloud-services
  • wmf-known-bot
  • wmf-suspected-scraper...
Tgr added a comment.Nov 6 2025, 10:12 PM

CentralAuth can check crosswiki groups via CentralAuthUser::getLocalGroups() (example). Not sure that works for implicit groups though.

Tgr claimed this task.Nov 18 2025, 5:32 PM
Tgr moved this task from Needs refinement to In progress (DO NOT USE) on the MediaWiki-Platform-Team board.

Reassigning this temporarily to set up some rate limiting classes for testing. Will assign back afterwards.

OWresch-WMF edited projects, added MediaWiki-Platform-Team (Q3 Kanban Board); removed MediaWiki-Platform-Team.Nov 21 2025, 11:44 AM
OWresch-WMF moved this task from Essential Work to In Progress on the MediaWiki-Platform-Team (Q3 Kanban Board) board.
gerritbot added a comment.Nov 24 2025, 2:01 PM

Change #1210597 had a related patch set uploaded (by Gergő Tisza; author: Gergő Tisza):

[mediawiki/extensions/OAuth@master] Indicate owner-only status to OAuth 2 access token claims hooks

https://gerrit.wikimedia.org/r/1210597

gerritbot added a comment.Nov 26 2025, 10:29 AM

Change #1210597 merged by jenkins-bot:

[mediawiki/extensions/OAuth@master] Indicate owner-only status to OAuth 2 access token claims hooks

https://gerrit.wikimedia.org/r/1210597

gerritbot added a comment.Nov 26 2025, 10:29 AM

Change #1175247 merged by jenkins-bot:

[mediawiki/extensions/WikimediaEvents@master] Add higher traffic rate limiting class for bots

https://gerrit.wikimedia.org/r/1175247

Maintenance_bot removed a project: Patch-For-Review.Nov 26 2025, 10:30 AM
ReleaseTaggerBot added a project: MW-1.46-notes (1.46.0-wmf.5; 2025-12-02).Nov 26 2025, 11:00 AM
OWresch-WMF moved this task from In Progress to To be verified in Prod on the MediaWiki-Platform-Team (Q3 Kanban Board) board.Nov 27 2025, 3:18 PM
Tgr closed this task as Resolved.Jan 23 2026, 9:55 PM

Let's just mark this as done. We'll probably want to change the specifics, but it should be very simple to do so (and if not, we can reopen).

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits