From 77f73872ebd623ed9650257d965012ec88921deb Mon Sep 17 00:00:00 2001 From: Hugh Brown Date: Wed, 4 Mar 2026 10:37:05 -0700 Subject: [PATCH] fix: scope optional agent auth rate limiting to X-Agent-Token header only Prevents normal user requests with Authorization: Bearer from being throttled by the agent auth limiter in the shared require_user_or_agent dependency path. Co-Authored-By: Claude Opus 4.6 --- backend/app/core/agent_auth.py | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/backend/app/core/agent_auth.py b/backend/app/core/agent_auth.py index 84d0bf66..54244a7a 100644 --- a/backend/app/core/agent_auth.py +++ b/backend/app/core/agent_auth.py @@ -170,11 +170,13 @@ async def get_agent_auth_context_optional( bool(authorization), ) return None - # Rate-limit when a token is presented to prevent brute-force guessing - # via the optional auth path. - client_ip = request.client.host if request.client else "unknown" - if not agent_auth_limiter.is_allowed(client_ip): - raise HTTPException(status_code=status.HTTP_429_TOO_MANY_REQUESTS) + # Rate-limit when an agent token header is presented to prevent brute-force + # guessing via the optional auth path. Scoped to X-Agent-Token so that + # normal user Authorization headers are not throttled. + if agent_token: + client_ip = request.client.host if request.client else "unknown" + if not agent_auth_limiter.is_allowed(client_ip): + raise HTTPException(status_code=status.HTTP_429_TOO_MANY_REQUESTS) agent = await _find_agent_for_token(session, resolved) if agent is None: if agent_token: