Better Auth•3mo ago

rate limit error returns status code 401 instead of 429

error [Error [APIError]: Rate limit exceeded.] {
  status: 'UNAUTHORIZED',
  body: [Object],
  headers: {},
  statusCode: 401
}

error [Error [APIError]: Rate limit exceeded.] {
  status: 'UNAUTHORIZED',
  body: [Object],
  headers: {},
  statusCode: 401
}

when i log the error ^ im using the api key plugin and when i get rate limited i get this error and i expected it to have 429 status code basically i have a route.ts im calling from postman with x-api-key set, inside the route.ts i call the trpc procedure that checks if user has a session etc, and it returns me that error that this api key is being rate limited by its status code is not 429, any ideas?

14 Replies

Kyle•3mo ago

When an API key exceeds its rate limit, the library is treating it as if the key is no longer valid for authentication purposes during that time window, hence the 401 status instead of 429. Are you perhaps sure you didn't go over the limit of uses for the API key?

Adam BorygoOP•3mo ago

well i dont pass any settings when creating the api key so i would assume the max uses are infinite

Kyle•3mo ago

It looks like based on the code, if you don'ty specify rate limitations when you create an API key, it'll inherit the defaults the plugin has being: 10 requests per 24-hour period. Do you mind either updating that key or creating a new key when creating the key?

await auth.api.updateApiKey({
  body: {
    keyId: yourKeyId,
    rateLimitEnabled: false
  },
  headers
});

await auth.api.updateApiKey({
  body: {
    keyId: yourKeyId,
    rateLimitEnabled: false
  },
  headers
});

Kyle•3mo ago

Also the code I am reading this from is: https://github.com/better-auth/better-auth/blob/main/packages/better-auth/src/plugins/api-key/rate-limit.ts

GitHub

better-auth/packages/better-auth/src/plugins/api-key/rate-limit.ts ...

The most comprehensive authentication framework for TypeScript - better-auth/better-auth

Adam BorygoOP•3mo ago

yeah i created a new key and it worked for the first 10 requests

Kyle•3mo ago

try setting that rate limit to false for the key request, or increase it by passing a config to the plugin or disabling it:

rateLimit: {
  enabled: true,
  timeWindow: 1000 * 60 * 60 * 24, // 24 hours
  maxRequests: 10 // Default is only 10 requests per day
}

rateLimit: {
  enabled: true,
  timeWindow: 1000 * 60 * 60 * 24, // 24 hours
  maxRequests: 10 // Default is only 10 requests per day
}

Adam BorygoOP•3mo ago

cant i just put rateLimitMax: -1

Kyle•3mo ago

I mean you can do whatever you'd like. I'm just giving you ideas, so you can either do it based on a specific key, overall, or you could do that -1 which seems it'd work based on the codebase.

Adam BorygoOP•3mo ago

so i put this in config

rateLimit: {
    enabled: true,
    window: 10,
    max: 2,
  },

rateLimit: {
    enabled: true,
    window: 10,
    max: 2,
  },

but it still returns 401 i still kind of dont understand what conditions it needs to meet to return 429 okay i guess the reason is that its on the server just did something like this

const status =
        error.message === ERROR_CODES.RATE_LIMIT_EXCEEDED
          ? 429
          : error.statusCode;

const status =
        error.message === ERROR_CODES.RATE_LIMIT_EXCEEDED
          ? 429
          : error.statusCode;

@Kyle do you think i even should be using the apikey plugin for this usecase or the bearer plugin

Kyle•3mo ago

not sure what your use case is or what u are building.

Adam BorygoOP•3mo ago

i just need to verify that the user that is requesting the data via api is the user from the db but since it works i guess its a good approach

Kyle•3mo ago

I'd stick with API Keys because it's a simpler approach and bearer can be risker.

Ping•3mo ago

@Adam Borygo You're right to say that when something reaches a rate-limit that it should be TOO_MANY_REQUESTS, so I've opened a PR fixing this. You can track it here: https://github.com/better-auth/better-auth/pull/3213

GitHub

fix(api-key): improve error statuses by ping-maxwell · Pull Reques...

When an API key is rate-limited, the status should be TOO_MANY_REQUESTS not UNAUTHORIZED

Adam BorygoOP•3mo ago

awesome

Gaming

Programming

rate limit error returns status code 401 instead of 429

Did you find this page helpful?