Hi, we recently noticed an increase in our develop...
# ory-networka
acoustic-insurance-23566
07/31/2024, 7:22 PMHi, we recently noticed an increase in our developers getting rate limited. We have a bunch of internal systems using different Ory projects, some of which are on the free tier and also external, production systems using a paid Ory product. I don't think anything has changed in how we use the platform recently,
Do you have any suggestions of why we're seeing those now?
b
bland-eye-99092
08/01/2024, 6:58 AMHi! Could you send me the hostname where you saw the rate limiting? Ideally via DM here.
v
victorious-animal-13344
08/05/2024, 2:18 PMHi, we've also been seeing this issue specially on self/service login using the ORY tunnel, to the point that it is not possible to simply login anymore for some. This happens on the separate Developer plan that we use for local dev. I can share more details if you need
e
enough-yak-81379
08/06/2024, 11:17 AMhello there! We think this is because a rule that blocks failed login attempts. Basically we try to limit requests to the login endpoint that result in a failure to login. Could you confirm this is what is happening on your end?
v
victorious-animal-13344
08/06/2024, 12:29 PMI think this might not be it. For this project, we almost always only use OIDC and google auth within so there aren't really many chances of failed login attempts.
It just started happening for almost all of us in the team recently after we got rate-limited on toSession calls. A hint that this too might not be the reason is that we have previously been also rate limited on this call (we cache this now). But can't think of any other thing that would lead to this.
a
acoustic-insurance-23566
08/06/2024, 12:44 PMIn our case those are internal applications that don't see too much traffic. What are your rate limits?
e
enough-yak-81379
08/06/2024, 12:55 PMif it the rule i suppose it was then 25 failed req/min
enough-yak-81379
08/06/2024, 12:59 PMi checked the event for this request and can confirm we see that as a failed post to /self-service/login. By failed i mean: the response was either 400 or 303 without a session token
https://ory-community.slack.com/files/U04TXAH85M2/F07FBUAH62J/screenshot_2024-08-05_at_16.17.15.png▾
v
victorious-animal-13344
08/06/2024, 1:13 PMAlright, thanks for checking and clarifying.
So, we've had session token expiries before and we didn't face this issue earlier. Is the rule that blocks failed login attempts fairly recent? Also, is there something we can do to avoid getting blocked when login fails due to expired session tokens going forward?
e
enough-yak-81379
08/06/2024, 1:14 PMwe are deploying a new version of the rule that doesnt depend on the response and we have seen it working better in development
enough-yak-81379
08/06/2024, 1:14 PMi expect we will deploy that to prod this week 🙂
v
victorious-animal-13344
08/06/2024, 1:15 PMThat's great. Thanks so much!!
👍 1