From 72fb097c0f364a24778901c2c0f41dd054a2e274 Mon Sep 17 00:00:00 2001 From: pascal Date: Tue, 9 Dec 2025 16:13:00 +0100 Subject: [PATCH] report pat id for tokens used more than 120 times per minute --- management/server/http/middleware/auth_middleware.go | 9 +++++---- management/server/http/middleware/pat_usage_tracker.go | 5 ++++- 2 files changed, 9 insertions(+), 5 deletions(-) diff --git a/management/server/http/middleware/auth_middleware.go b/management/server/http/middleware/auth_middleware.go index ffd7e0b93..b76f00bd7 100644 --- a/management/server/http/middleware/auth_middleware.go +++ b/management/server/http/middleware/auth_middleware.go @@ -171,10 +171,6 @@ func (m *AuthMiddleware) checkPATFromRequest(r *http.Request, authHeaderParts [] return r, fmt.Errorf("error extracting token: %w", err) } - if m.patUsageTracker != nil { - m.patUsageTracker.IncrementUsage(token) - } - if m.rateLimiter != nil { if !m.rateLimiter.Allow(token) { return r, status.Errorf(status.TooManyRequests, "too many requests") @@ -186,6 +182,11 @@ func (m *AuthMiddleware) checkPATFromRequest(r *http.Request, authHeaderParts [] if err != nil { return r, fmt.Errorf("invalid Token: %w", err) } + + if m.patUsageTracker != nil { + m.patUsageTracker.IncrementUsage(pat.ID) + } + if time.Now().After(pat.GetExpirationDate()) { return r, fmt.Errorf("token expired") } diff --git a/management/server/http/middleware/pat_usage_tracker.go b/management/server/http/middleware/pat_usage_tracker.go index 331c288e7..b323ea920 100644 --- a/management/server/http/middleware/pat_usage_tracker.go +++ b/management/server/http/middleware/pat_usage_tracker.go @@ -74,8 +74,11 @@ func (t *PATUsageTracker) reportUsageBuckets() { totalTokens := len(snapshot) if totalTokens > 0 { - for _, count := range snapshot { + for id, count := range snapshot { t.histogram.Record(t.ctx, count) + if count > 120 { + log.Debugf("High PAT usage detected: token %s used %d times in the last minute", id, count) + } } log.Debugf("PAT usage in last minute: %d unique tokens used", totalTokens) }