Skip to content

fix(rest): tolerate malformed x-ratelimit-reset in 429 handling#761

Open
MegaManSec wants to merge 1 commit intoauth0:masterfrom
MegaManSec:int
Open

fix(rest): tolerate malformed x-ratelimit-reset in 429 handling#761
MegaManSec wants to merge 1 commit intoauth0:masterfrom
MegaManSec:int

Conversation

@MegaManSec
Copy link

@MegaManSec MegaManSec commented Oct 31, 2025

Response.content() cast the x-ratelimit-reset header to int without validation. If a 429 response included a non-integer (or garbage) value, int() raised ValueError and the call crashed instead of raising a structured RateLimitError. Parse defensively and fall back to -1 when missing/malformed so clients always receive RateLimitError as intended.

Testing

Simulate a server response with something like this:

from auth0.exceptions import RateLimitError
from auth0.rest import Response

bad_headers = {"x-ratelimit-reset": "NaN"}  # or any non-integer
r = Response(429, {"error":"rate_limited"}, bad_headers)
r.content()  # raises ValueError today (expected: RateLimitError with reset_at=-1)

Checklist

@MegaManSec
fix(rest): tolerate malformed x-ratelimit-reset in 429 handling
85e37e0 
`Response.content()` cast the `x-ratelimit-reset` header to int without validation.
If a 429 response included a non-integer (or garbage) value, `int()` raised
ValueError and the call crashed instead of raising a structured `RateLimitError`.
Parse defensively and fall back to `-1` when missing/malformed so clients always
receive `RateLimitError` as intended.

Signed-off-by: Joshua Rogers <MegaManSec@users.noreply.github.com>
@MegaManSec MegaManSec requested a review from a team as a code owner October 31, 2025 05:14
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@MegaManSec