feat: add opt-out flags for token negative cache and rate limiting

[funkypenguin]

Summary

• Adds ENABLE_TOKEN_NEGATIVE_CACHE (default True) to control the in-memory _missing_tokens TTLCache in TokenStore
• Adds ENABLE_TOKEN_RATE_LIMIT (default True) to control the middleware that short-circuits requests for missing tokens with 401/429

Both default to enabled, so existing deployments are unaffected.

Motivation

We deploy Watchly in a Cloudflare-proxied, multi-replica Kubernetes environment and hit several issues with the current token caching and rate-limiting:

1. Stale negative cache across replicas: _missing_tokens is a per-process TTLCache with a 24h TTL. In a multi-replica setup, a token cached as missing on one replica will be rejected for up to 24 hours even after it becomes valid in Redis (e.g. a newly registered user). This causes intermittent 401 errors depending on which replica handles the request.

2. Incorrect IP detection behind proxies: The rate-limiting middleware uses request.client.host, which behind Cloudflare (or any reverse proxy) resolves to the proxy's IP rather than the real client. This means all users share the same rate-limit counter — 8 failures from anyone triggers 429s for everyone on that replica.

3. CORS errors masking real errors: Both the 401 and 429 responses are returned as HTMLResponse before call_next is invoked, so CORSMiddleware never adds CORS headers. Browsers report these as CORS failures rather than showing the actual error, making debugging very difficult.

These flags let operators disable these features where the infrastructure already handles the concerns differently (e.g. Redis for shared state, Cloudflare for rate limiting).

Test plan

• Verify default behavior is unchanged (ENABLE_TOKEN_NEGATIVE_CACHE and ENABLE_TOKEN_RATE_LIMIT both default to True)
• Set ENABLE_TOKEN_NEGATIVE_CACHE=false and confirm tokens are always looked up in Redis
• Set ENABLE_TOKEN_RATE_LIMIT=false and confirm the middleware passes all requests through
• Test in a multi-replica environment that newly created tokens work immediately on all replicas

🤖 Generated with Claude Code

[vercel]

Someone is attempting to deploy a commit to the Bimal Timilsina's projects Team on Vercel.

A member of the Team first needs to authorize it.

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request introduces new configuration flags to allow operators to disable the in-memory token negative cache and the token rate-limiting middleware. These changes aim to resolve issues encountered in multi-replica, Cloudflare-proxied Kubernetes environments, such as stale negative cache entries across replicas, inaccurate IP-based rate limiting, and CORS errors masking actual failures. By providing opt-out mechanisms, the system becomes more flexible for deployments where infrastructure already handles these concerns.

Highlights

• Opt-out flags for token negative cache: Introduced ENABLE_TOKEN_NEGATIVE_CACHE (default True) to control the in-memory _missing_tokens TTLCache in TokenStore, addressing stale cache issues in multi-replica environments.
• Opt-out flags for token rate limiting: Added ENABLE_TOKEN_RATE_LIMIT (default True) to control the middleware that short-circuits requests for missing tokens, mitigating issues with incorrect IP detection behind proxies and CORS errors.

🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request introduces two optional feature flags, ENABLE_TOKEN_NEGATIVE_CACHE and ENABLE_TOKEN_RATE_LIMIT, to give operators more control over token caching and rate limiting behavior. This is a well-reasoned change to address issues in multi-replica deployments. The implementation is straightforward and correctly uses the new settings to conditionally enable/disable the respective functionalities. I have one suggestion to improve the readability of the negative cache check.

[gemini-code-assist]

To improve readability and reduce nesting, you can combine the feature flag check with the cache lookup. Python's and operator uses short-circuit evaluation, so token in self._missing_tokens will only be evaluated if settings.ENABLE_TOKEN_NEGATIVE_CACHE is True, making this change safe.

        try:
            if settings.ENABLE_TOKEN_NEGATIVE_CACHE and token in self._missing_tokens:
                logger.debug(f"[REDIS] Negative cache hit for missing token {token}")
                return None
        except Exception as e:
            logger.debug(f"Failed to check negative cache for {token}: {e}")

[Copilot]

Pull request overview

Adds operator-controlled feature flags to disable (a) the in-process “missing token” negative cache and (b) the middleware that short-circuits requests for known-missing tokens, to better support multi-replica/proxied deployments.

Changes:

• Introduces ENABLE_TOKEN_NEGATIVE_CACHE and ENABLE_TOKEN_RATE_LIMIT settings (both default True).
• Gates _missing_tokens negative-cache reads/writes in TokenStore.get_user_data() behind ENABLE_TOKEN_NEGATIVE_CACHE.
• Adds an early pass-through in block_missing_token_middleware when ENABLE_TOKEN_RATE_LIMIT is disabled.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 3 comments.

File	Description
app/services/token_store.py	Adds a settings gate for negative-cache behavior inside get_user_data().
app/core/config.py	Defines the new settings flags with defaults.
app/core/app.py	Adds a settings gate to bypass the missing-token blocking/rate-limit middleware.

Comments suppressed due to low confidence (1)

app/core/app.py:78

• block_missing_token_middleware only triggers when the token is present in token_store._missing_tokens. But _missing_tokens is only populated when ENABLE_TOKEN_NEGATIVE_CACHE is enabled, so setting ENABLE_TOKEN_NEGATIVE_CACHE=false while leaving ENABLE_TOKEN_RATE_LIMIT=true effectively disables this middleware’s behavior (without making that dependency explicit). Consider either gating this middleware on ENABLE_TOKEN_NEGATIVE_CACHE as well, or changing the middleware to determine “missing token” in a way that doesn’t rely on the negative cache (or at least documenting the coupling).

    path = request.url.path.lstrip("/")
    seg = path.split("/", 1)[0] if path else ""
    try:
        # If token is known-missing, short-circuit and track IP failures
        if seg and seg in token_store._missing_tokens:

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

These debug logs include the raw token value. Tokens appear to be treated as sensitive elsewhere (e.g., redact_token(...) in other log lines), so logging the full token can leak credentials into log aggregation. Consider using redact_token(token) (or removing the token entirely) in these messages.

[Copilot]

The negative-cache hit log line prints the full token value, which can leak credentials into logs. Please redact the token (e.g., via redact_token(token)) or avoid including it in log messages.

[Copilot]

With @alru_cache on get_user_data, results are cached per token at this layer. That means disabling ENABLE_TOKEN_NEGATIVE_CACHE may still leave a replica returning a cached “missing” (None) response for some period, so it may not achieve the goal of always re-checking Redis for previously-missing tokens in multi-replica deployments. Consider conditionally bypassing the alru_cache when negative caching is disabled, or ensuring that missing-token results are not cached / have a very short TTL.