Traffic using a deploy token counts as unauthenticated for rate limiting

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

• Close this issue

Our rate limiting code only considers requests made by a user to be authenticated. However, you can also use deploy tokens to access some API endpoints (for the container registry): https://docs.gitlab.com/ee/user/project/deploy_tokens/#usage

A deploy token doesn't have a user, so we'd need to tweak our rate limiting code to handle this. One way to do that would be to:

1. Also look for a deploy token when we're finding a user (https://gitlab.com/gitlab-com/gl-infra/scalability/-/issues/753#note_472388273).
2. Make the discriminator for authenticated traffic not just be the user ID, but $class:$id, so you could have User:123 and DeployToken:123 handled correctly (see also https://docs.gitlab.com/ee/development/secure_coding_guidelines.html#past-vulnerable-code).