Open VSX Registry rate-limit mechanism misbehavior respond with 429 Too Many Requests

[garylavayou]

1. Brief Description

A click to browse the Java extension, triggers multiple API response with 429 Too Many Requests with inappropriate rate limiting parameters. The same phenomenon also occurs for other extension pages.

2. Details

2.1. Related API Request and Response

API Request in curl form (exported from browser, some header ommited):

curl 'https://open-vsx.org/api/redhat/java' \
  -H 'referer: https://open-vsx.org/extension/redhat/java' \
  -H 'sec-ch-ua: "Not)A;Brand";v="99", "Microsoft Edge";v="127", "Chromium";v="127"' \
  -H 'user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36 Edg/127.0.0.0'

The problematic response with headers is:

429 Too Many Requests

access-control-allow-origin: *
access-control-expose-headers: X-Rate-Limit-Retry-After-Seconds, X-Rate-Limit-Remaining
content-length: 35
content-type: application/json
date: Fri, 09 Aug 2024 10:02:00 GMT
server: nginx
x-rate-limit-retry-after-seconds: 0

{ "message": "Too many requests!" }

See also the Open VSX Registry API 🌐 for query extension metadata.

2.2. Explanation

The status code 429 of the response and the access-control-expose-headers imply that the registry service applies rate limit rules to client requests.

However, the x-rate-limit-retry-after-seconds header seems to be not correctly set. When rate limit is triggered, this header should be set to a positive value to let the client delay its retry.
But the response actually set this value to 0, which causes the client to immediately retry the request, resulting in another response with status code 429.

In my browser, 6 "bad" responses are received before the request finally succeeds in the recorded case.

3. Possible fix

The registry service should set x-rate-limit-retry-after-seconds header to a positive value (number of seconds) when rate limiting is triggered, to let the client delay the next request.