Skip to content

implement per-wallet lock quota and rate limit#1794

Open
HayimShaul wants to merge 13 commits into
mainfrom
1640_rate_limit
Open

implement per-wallet lock quota and rate limit#1794
HayimShaul wants to merge 13 commits into
mainfrom
1640_rate_limit

Conversation

@HayimShaul

Copy link
Copy Markdown
Contributor

implement per-wallet lock quota and rate limit.
Addresses issue #1640

@HayimShaul HayimShaul added this to the Q3/26 milestone Jun 21, 2026
@HayimShaul HayimShaul self-assigned this Jun 21, 2026
@HayimShaul HayimShaul linked an issue Jun 21, 2026 that may be closed by this pull request
@HayimShaul HayimShaul marked this pull request as ready for review June 21, 2026 13:06
Comment thread docs/security/selector_resource_limits.md
Comment thread token/services/selector/simple/inmemory/locker.go
Comment thread token/services/selector/simple/inmemory/locker.go
Comment thread token/services/selector/simple/inmemory/locker.go
Comment thread token/services/selector/simple/inmemory/locker.go
Comment thread token/services/selector/simple/inmemory/ratelimiter.go Outdated
Comment thread token/services/selector/simple/inmemory/ratelimiter.go
Comment thread token/services/selector/simple/inmemory/ratelimiter_test.go
if _, lockErr := s.locker.LockWithIdentity(ctx, &t.Id, s.txID, id, reclaim); lockErr != nil {
// Check if this is a quota or rate limit error - these should not be retried
if errors.HasType(lockErr, ErrQuotaExceeded) || errors.HasType(lockErr, ErrRateLimitExceeded) {
s.locker.UnlockIDs(ctx, toBeSpent...)

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

When these locks where taken and why we need to unlock them?

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

locks are locked in line 126 in the loop.
if something goes wrong we unlock all those we have locked

s.locker.UnlockIDs(ctx, toBeCertified...)

return nil, nil, lockErr
}

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we have a test that check this logic?

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

added now more tests

@AkramBitar AkramBitar requested a review from adecaro July 1, 2026 08:57
@adecaro

adecaro commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

if I understand correctly the concerns of the issue this PR is trying to address, the selector service needs to have a definition of a Locker whose lock function takes in input also the wallet id the tokens are selected for. Then, we need to enforce that both simple and sherdlock selectors use this function. At that point the job of the token-sdk is done. We can update the documentation and tell the developer how to provide a new implementation of the Locker interface that integrate rate limiting. The application that uses the token-sdk can already have an overall infrastructure for rate limiting (using redis, for example) and they might want to reuse it as well.

Hayim.Shaul@ibm.com added 12 commits July 1, 2026 14:50
Signed-off-by: Hayim.Shaul@ibm.com <hayimsha@fhe03.vpc.cloud9.ibm.com>
Signed-off-by: Hayim.Shaul@ibm.com <hayimsha@fhe03.vpc.cloud9.ibm.com>
Signed-off-by: Hayim.Shaul@ibm.com <hayimsha@fhe03.vpc.cloud9.ibm.com>
Signed-off-by: Hayim.Shaul@ibm.com <hayimsha@fhe03.vpc.cloud9.ibm.com>
Signed-off-by: Hayim.Shaul@ibm.com <hayimsha@fhe03.vpc.cloud9.ibm.com>
fix
Signed-off-by: Hayim.Shaul@ibm.com <hayimsha@fhe03.vpc.cloud9.ibm.com>
fmt
Signed-off-by: Hayim.Shaul@ibm.com <hayimsha@fhe03.vpc.cloud9.ibm.com>
Signed-off-by: Hayim.Shaul@ibm.com <hayimsha@fhe03.vpc.cloud9.ibm.com>
Signed-off-by: Hayim.Shaul@ibm.com <hayimsha@fhe03.vpc.cloud9.ibm.com>
fmt
Signed-off-by: Hayim.Shaul@ibm.com <hayimsha@fhe03.vpc.cloud9.ibm.com>
Signed-off-by: Hayim.Shaul@ibm.com <hayimsha@fhe03.vpc.cloud9.ibm.com>
fmt
Signed-off-by: Hayim.Shaul@ibm.com <hayimsha@fhe03.vpc.cloud9.ibm.com>
fix
Signed-off-by: Hayim.Shaul@ibm.com <hayimsha@fhe03.vpc.cloud9.ibm.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Per-Caller and Per-Wallet Lock Quotas with Rate Limiting [HIGH]

3 participants