master
607e72e2a1
Some checks failed
Build Test Deploy / docs (push) Has been cancelled
Build Test Deploy / deploy (push) Has been cancelled
Build Test Deploy / build-test (push) Has been cancelled
Build Test Deploy / authority-container (push) Has been cancelled
Docs CI / lint-and-preview (push) Has been cancelled
28 lines
1.2 KiB
Plaintext
28 lines
1.2 KiB
Plaintext
%% Rate limit and lockout interplay for Standard plug-in (Mermaid)
|
|
sequenceDiagram
|
|
autonumber
|
|
participant Client as Client/App
|
|
participant Host as Authority Host
|
|
participant Limiter as Rate Limiter Middleware
|
|
participant Plugin as Standard Plugin
|
|
participant Store as Credential Store / Lockout State
|
|
|
|
Client->>Host: POST /token (client_id, credentials)
|
|
Host->>Limiter: Check quota (client_id + remote_ip)
|
|
alt quota exceeded
|
|
Limiter-->>Host: Reject (429, retryAfter)
|
|
Host-->>Client: 429 Too Many Requests\nRetry-After header with limiter tags
|
|
else quota ok
|
|
Limiter-->>Host: Allow (remaining tokens)
|
|
Host->>Plugin: VerifyCredentials(subject)
|
|
Plugin->>Store: Load hashed password + lockout counters
|
|
Store-->>Plugin: Credential result + deterministic counter
|
|
alt lockout threshold reached
|
|
Plugin-->>Host: Locked (retryAfter=lockoutWindow)
|
|
Host-->>Client: 423 Locked\nRetry-After header + `authority.lockout` tag
|
|
else valid credentials
|
|
Plugin-->>Host: Success (issue tokens)
|
|
Host-->>Client: 200 OK + tokens + limiter metadata
|
|
end
|
|
end
|