Unexpected 400 responses for legitimate uses of VSCode Extension
Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.
Summary
Recently we enabled rate limits for the /oauth/token endpoint which would only apply to 400 bad requests.
However, this change had to be rolled back due to unexpected impact on legitimate users, with the majority of issues appearing for vs-code-gitlab-workflow/ user-agents.
We need to understand whether there is a bug in the VSCode extension, as the only way we have been able to replicate 400 responses for this endpoint is through malformed requests (invalid JSON).
Related Incident: 2025-02-26: 429 Errors for Oauth requests (gitlab-com/gl-infra/production#19368 - closed)
Impact
Production Engineering has been unable to configure a rate limit due to unexpected impact on legitimate users.
Recommendation
Investigate and fix 400 bad request requests from VSCode extension to the /oauth/token endpoint.
Verification
Using Cloudflare events (such as this rule (available to those with Cloudflare access only), we would be able to verify whether the 400 responses for this endpoint were still present once the fix was implemented.