Gitpulse
Merged
Size
M
Change Breakdown
Feature50%
Config30%
Security15%
Refactor5%
#28328feat(core): Make token exchange rate limits configurable via env vars (no-changelog)

Token exchange rate limits now configurable via environment variables

Token exchange rate limits now configurable via environment variables
AF
afitzek
·Apr 13, 2026

Operators can tune rate limiting on OAuth token exchange and embed login endpoints without code changes, using new environment variables with sensible defaults.

OAuth 2.0 token exchange endpoints are getting more flexible. Rate limits that were previously hardcoded at 20 requests per minute per IP can now be adjusted via environment variables.

Two endpoints are affected: the POST /auth/oauth/token token exchange endpoint and the GET/POST /auth/embed embed login endpoints. Both now read their rate limits from TokenExchangeConfig at startup, defaulting to 20 requests per minute if not overridden.

The embed login endpoints also gain a new redirectTo parameter. Callers can now specify where users land after authentication instead of always redirecting to the instance root.

A shared validateRedirectUrl utility handles open-redirect protection across both SAML and embed login flows, extracted from the SAML controller into a reusable module.

These changes are part of Phase 4 (Hardening) for the OAuth 2.0 Token Exchange project.

View Original GitHub Description

Summary

Makes rate limits on the token exchange authentication endpoints (POST /auth/oauth/token and GET/POST /auth/embed) configurable via environment variables instead of hardcoded values. Also adds a redirectTo parameter to the embed login endpoints so callers can specify where the user lands after authentication, and extracts the redirect URL validation logic from the SAML controller into a shared utility.

New env vars:

  • N8N_TOKEN_EXCHANGE_EMBED_LOGIN_PER_MINUTE (default: 20) — IP rate limit for GET/POST /auth/embed
  • N8N_TOKEN_EXCHANGE_TOKEN_EXCHANGE_PER_MINUTE (default: 20) — IP rate limit for POST /auth/oauth/token

This is part of the Phase 4 (Hardening) milestone for the OAuth 2.0 Token Exchange project. These endpoints are authentication surfaces, so configurable rate limiting allows operators to tune protection against brute-force attempts for their deployment profile without code changes.

Key implementation decisions

  • Rate limit values are read from TokenExchangeConfig at module load time via Container.get() at the top level, since decorator arguments must be static. This is consistent with how the config is used elsewhere.
  • Extracted validateRedirectUrl from SamlController into @/utils/validate-redirect-url so both SAML and embed login share the same open-redirect protection.

Related tickets

Review / Merge checklist

  • I have seen this code, I have run this code, and I take responsibility for this code.
  • PR title and summary are descriptive. (conventions) <!-- **Remember, the title automatically goes into the changelog. Use `(no-changelog)` otherwise.** -->
  • Docs updated or follow-up ticket created.
  • Tests included. <!-- A bug is not considered fixed, unless a test is added to prevent it from happening again. A feature is not complete without tests. -->
  • PR Labeled with Backport to Beta, Backport to Stable, or Backport to v1 (if the PR is an urgent fix that needs to be backported)
© 2026 · via Gitpulse