-
Markus Koller authored
These paths were added in the 13.3.3 security release [1] so they would get throttled by the "protected paths" rate limit, as a protection against brute-force attacks. This rate limit turned out to be to strict for normal OAuth usage [2], so we're removing the paths again and instead let them get throttled by the general rate limit for unauthenticated requests, which didn't exist yet when we made the original change, and should still offer sufficient protection. This configuration change was already applied manually on gitlab.com and verified to be working as expected. [3] [1] https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/757 [2] https://gitlab.com/gitlab-org/gitlab/-/issues/345554 [3] https://gitlab.com/gitlab-com/gl-infra/production/-/issues/6000 Changelog: changed
cf35d502
