up

docs/assets/authority/authority-rate-limit-flow.mmd

@@ -0,0 +1,27 @@
+%% Rate limit and lockout interplay for Standard plug-in (Mermaid)
+sequenceDiagram
+    autonumber
+    participant Client as Client/App
+    participant Host as Authority Host
+    participant Limiter as Rate Limiter Middleware
+    participant Plugin as Standard Plugin
+    participant Store as Credential Store / Lockout State
+
+    Client->>Host: POST /token (client_id, credentials)
+    Host->>Limiter: Check quota (client_id + remote_ip)
+    alt quota exceeded
+        Limiter-->>Host: Reject (429, retryAfter)
+        Host-->>Client: 429 Too Many Requests\nRetry-After header with limiter tags
+    else quota ok
+        Limiter-->>Host: Allow (remaining tokens)
+        Host->>Plugin: VerifyCredentials(subject)
+        Plugin->>Store: Load hashed password + lockout counters
+        Store-->>Plugin: Credential result + deterministic counter
+        alt lockout threshold reached
+            Plugin-->>Host: Locked (retryAfter=lockoutWindow)
+            Host-->>Client: 423 Locked\nRetry-After header + `authority.lockout` tag
+        else valid credentials
+            Plugin-->>Host: Success (issue tokens)
+            Host-->>Client: 200 OK + tokens + limiter metadata
+        end
+    end