We're Hiring!

Mattermost, Inc.

Bug: Invite rate limit applied silently, undocumented

Summary

API invites by email are silently rate-limited, and rate limits are undocumented.

Steps to reproduce

Using 5.25.1, attempt to call the Invite users to the team by email API call with a list of more than 20 email addresses.
http://your-mattermost-url.com/api/v4/teams/{team_id}/invite/email

Expected behavior

If rate limiting is applied, the API call should fail. Rate limiting should be documented in the API reference.

I would expect an HTTP response code in the 400 range. Possibly 413 (request entity too large) with a retry-after header indicating when the next batch could be accepted.

Observed behavior

The API returned a 200 result code, and mattermost wrote the following to its log:

{"level":"error","ts":1596150191.2522833,"caller":"mlog/log.go:175","msg":"Invite emails rate limited.","user_id":"gst7u7g9zbdsbmiesiwkjnuqcw","team_id":"pieu7ohjkibntm6jko86jxrgao","retry_after":"-1ns"}

The only reference I can find to this rate limit is in this other forum post. I can’t find it in the general documentation, and it is definitely not documented in the API reference.

It seems to me that the API call should be updated to include a result code that indicates the list of addresses is too large (e.g. 413). The parameters of the rate limit should also be documented (how many email addresses are allowed … how long one must wait before sending more … etc).

If the rate limit could be made configurable that would also be useful.

In the mean time, can someone clarify for me exactly what limits are placed on this call?

Thanks!

Could these docs help: https://docs.mattermost.com/administration/config-settings.html#rate-limiting?

The person in the other posting asked about that, and you said that no, those rate limits are not the same thing.

Reading the docs suggests to me that is the rate limiting for API calls in general. What I’m encountering here is a rate limit on email address invites per hour.

Also, those docs don’t address the problem of the rate limiting being applied silently.

Also, after some more thought, it occurs to me that my Expected Behaviour section above is too simple. There are really two similar-but-different error conditions here:

  1. more than the maximum number of addresses were sent in the json blob (e.g. the list is 21 addresses)
  2. more than the maximum number of addresses per hour are trying to be sent (e.g. 10 have already been sent this hour, and now a request is received with 11 addresses)

Probably both should be a 413 Entity Too Large response code, but the first would not have a retry-after header and the second would. I’d suggest there should also be different text in the message field of the response json.

Hi, everyone.

For reference purposes, I went ahead and created this bug report:

Feel free to share and add more comments related to the issue in the official ticket. Thanks.