Unauthorized users see rate limit message instead of a 401

[philsturgeon]

If you provide invalid credentials it should 401, not simply fall back to unauthorized user and try to use up the rate limit for other people.

This is essentially a silent fail, and could lead to all sorts of crazy problems.

1. Clients not realizing their tokens are bad
2. Rate limit is constantly used up for the public by one company with a crap token.

etc.

I'll try and have a look but I might not get around to it as I already have about 5-6 outstanding PRs to write for 3 different projects. If anyone can dive in that would be awesome.

[jasonlewis]

Hey Phil I'm just looking into this now. I'm not sure what's going on here. Are you reaching your rate limit as an authenticated user then using an invalid token and getting the message?

For me if I provide an invalid token it always returns the 401 with the invalid token message.

[bweston92]

The rate limiting is on a per ip basis I thought? So it wouldn't affect other users in less they're on that ip.—
Sent from Mailbox for iPhone

On Fri, Jun 27, 2014 at 7:03 AM, Jason Lewis notifications@github.com
wrote:

Hey Phil I'm just looking into this now. I'm not sure what's going on here. Are you reaching your rate limit as an authenticated user then using an invalid token and getting the message?

For me if I provide an invalid token it always returns the 401 with the invalid token message.

Reply to this email directly or view it on GitHub:
#62 (comment)