๐ Auth Filter
Scope: All protected endpoints
Route Type: Global filter (@filter auth)
Tag: auth
๐ Description
The auth filter is applied to all incoming requests While /login and /__ping__, are exempt from JWT authentication, they are still subject to rate limiting and exponential backoff to prevent brute-force attacks.
It performs these responsibilities:
- ๐ Verifies Bearer token from the
Authorizationheader - ๐งพ Decodes token and attaches
user_idandroleto the request - ๐ Enforces rate limiting using
MAX_REQUESTSperWINDOW_SIZE - โณ Applies exponential backoff for repeated failed logins
๐ซ Header Example
Authorization: Bearer eyJhbGciOiJIUzI1...๐ Response Summary
| Condition | Status | Example Error |
|---|---|---|
| Missing or malformed token | 401 | { "error": "Missing or invalid token" } |
| Invalid or expired token | 401 | { "error": "Invalid or expired token" } |
| Too many failed attempts | 429 | { "error": "Too many failed attempts. Wait 8s." } |
| Rate limit exceeded | 429 | { "error": "Rate limit exceeded. Try later." } |
| Misconfigured secret | 500 | { "error": "Server misconfigured (missing JWT_SECRET)" } |
๐ง Internal Notes
If the token is valid, your endpoint functions will have:
req$user_id # Unique user ID
req$role # Role, e.g., "user", "admin"The filter logic is defined in plumber.R using @filter auth.
๐ ๏ธ Environment Configuration
| Env Variable | Purpose | Default |
|---|---|---|
JWT_SECRET |
Secret key for decoding JWT | (required) |
MAX_REQUESTS |
Max allowed requests in the window | 1000 |
WINDOW_SIZE |
Rate limit window duration in seconds | 3600 |
๐ Sponsors
Support my work through GitHub Sponsors!
