vvzvlad/gitmost
1
0
Fork 0
Code Issues 14 Pull Requests 12 Packages Projects Releases Activity

[bug][collab] collab-token throttled by the anonymous public-share-AI limiter (5/min) → collaboration sync breaks after a few page opens #122

New Issue
Closed
opened 2026-06-22 06:27:44 +03:00 by Ghost · 0 comments
Ghost commented 2026-06-22 06:27:44 +03:00
Copy Link

Severity: high

POST /api/auth/collab-token is rejected with 429 after only 5 requests per 60s, because the route skips only the AUTH throttler and is still subject to the anonymous public-share-ai limiter (limit 5/60s).

Where:

  • apps/server/src/core/auth/auth.controller.ts:184collabToken() is decorated only with @SkipThrottle({ [AUTH_THROTTLER]: true }) (and the class skips AI_CHAT). It does not skip PUBLIC_SHARE_AI_THROTTLER.
  • apps/server/src/integrations/throttle/throttle.module.ts:32{ name: PUBLIC_SHARE_AI_THROTTLER, ttl: 60_000, limit: 5 } (and PAGE_TEMPLATE 30/60s) therefore also apply to collab-token. Effective cap = 5/min.

Repro (live): open ~8–10 page editors within a minute as a normal logged-in user. From the 6th open onward:

collab-token #1..#5  200
collab-token #9      429   retry-after-public-share-ai: 60
collab-token #10     429   retry-after-public-share-ai: 57

The 429 carries the header retry-after-public-share-ai, proving the anonymous public-share-AI bucket is the one rejecting it.

Impact: a single real user who opens more than 5 pages per minute starves their own collab token. The body editor stays locally editable (edits go to Yjs/IndexedDB) so there is no visible error, but the collab WebSocket can no longer authenticate → edits don't sync to the server / other clients, and it triggers the uncaught jwtDecode(undefined) crash (separate issue).

Suggested fix: also @SkipThrottle the PUBLIC_SHARE_AI (and PAGE_TEMPLATE) throttlers on collab-token, or move it behind the per-user AUTH throttler only.

Filed from an automated full-product QA pass on develop @ v0.93.0-64-gb60190ff, fresh DB. Each item below was reproduced live in a clean browser session unless noted.

**Severity:** high `POST /api/auth/collab-token` is rejected with **429** after only **5 requests per 60s**, because the route skips only the AUTH throttler and is still subject to the anonymous `public-share-ai` limiter (limit 5/60s). **Where:** - `apps/server/src/core/auth/auth.controller.ts:184` — `collabToken()` is decorated only with `@SkipThrottle({ [AUTH_THROTTLER]: true })` (and the class skips `AI_CHAT`). It does **not** skip `PUBLIC_SHARE_AI_THROTTLER`. - `apps/server/src/integrations/throttle/throttle.module.ts:32` — `{ name: PUBLIC_SHARE_AI_THROTTLER, ttl: 60_000, limit: 5 }` (and `PAGE_TEMPLATE` 30/60s) therefore also apply to collab-token. Effective cap = 5/min. **Repro (live):** open ~8–10 page editors within a minute as a normal logged-in user. From the 6th open onward: ``` collab-token #1..#5 200 collab-token #9 429 retry-after-public-share-ai: 60 collab-token #10 429 retry-after-public-share-ai: 57 ``` The 429 carries the header `retry-after-public-share-ai`, proving the anonymous public-share-AI bucket is the one rejecting it. **Impact:** a single real user who opens more than 5 pages per minute starves their own collab token. The body editor stays *locally* editable (edits go to Yjs/IndexedDB) so there is **no visible error**, but the collab WebSocket can no longer authenticate → edits don't sync to the server / other clients, and it triggers the uncaught `jwtDecode(undefined)` crash (separate issue). **Suggested fix:** also `@SkipThrottle` the `PUBLIC_SHARE_AI` (and `PAGE_TEMPLATE`) throttlers on `collab-token`, or move it behind the per-user AUTH throttler only. --- _Filed from an automated full-product QA pass on `develop` @ `v0.93.0-64-gb60190ff`, fresh DB. Each item below was reproduced live in a clean browser session unless noted._
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
bug
Something isn't working
 documentation
Improvements or additions to documentation
 duplicate
This issue or pull request already exists
 enhancement
New feature or request
 epic
Large multi-phase effort spanning many changes
 feature
New functionality request
 good first issue
Good for newcomers
 help wanted
Extra attention is needed
 idea
Idea / proposal for discussion
 invalid
This doesn't seem right
 needs-human
эскалация: нужно решение человека
 question
Further information is requested
 refactor
Code cleanup / refactoring
 review/approved
в последнем ревью нет открытых blocking-находок
 review/changes-requested
последнее ревью оставило открытые blocking-находки
 review/needs
head не ревьюился (head != reviewed_head)
 security
Security / hardening issue
 status/blocked
ждёт зависимость blocked_by
 status/done
закрыто и проверено
 status/in-progress
в активной работе (мягкая заявка)
 status/ready
специфицировано, не заблокировано, ждёт исполнителя
 test
Test coverage / test infrastructure
 wontfix
This will not be worked on
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
agent_coder agent_reviewer vvzvlad
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: vvzvlad/gitmost#122
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?