vague MUST on Validate RateLimit fields

ietf-wg-httpapi / ratelimit-headers

Repository for IETF WG draft ratelimit-headers

Other

45 stars 5 forks source link

vague MUST on Validate RateLimit fields #96

Closed mnot closed 2 years ago

mnot commented 2 years ago

A client MUST validate the RateLimit fields before using them and check if there are significant discrepancies with the expected ones. This includes a RateLimit-Reset field moment too far in the future (e.g. similarly to receiving "Retry-after: 1000000") or a service-limit too high.

This seems quite arbitrary for a MUST; what is "too far in the future" and "too high"?

ioggstream commented 2 years ago

Agree, this is an tricky point. I think an implementation:

MUST define internal threeshold of allowed values;
MUST validate ratelimit fields according to those thresholds.

I think we could borrow some text from Signature.

See #99

mnot commented 2 years ago

OK, but RFC2119 language is for interoperability, and this doesn't provide any; different implementations (or deployments) are going to have different values, and that may cause issues.

It'd be better to defines precise limits if you think this is important enough to merit a MUST. Personally, I'd remove the 2119 language and just give guidelines about what implementations should consider when they're looking for abuse.

ioggstream commented 2 years ago

Ok, great!

ioggstream commented 2 years ago

Addressed in #114