Users Blocking Feature Not Working As Expected

Problem statement

We’re running performance testing to test the user blocking feature, and we’ve noticed that Auth0 is blocking the user temporarily, we’ve executed the following test:
1 - We made an automation request for 300 hits to signup API from the same IP Address.
2 - We noticed that the response time is high more than (2000ms~)
3 - All the requests are triggered from the client IP address (success)
4 - On the Auth0 dashboard we found the IP blocked status
5 - Then we try new bulk requests from the same network
6 - Most of the requests were passed.

Expected results: The user should be blocked after 100 requests per minute and can’t perform any further action.

Actual results: The user has been blocked on Auth0 but he can signup successfully.

Solution

We actually consider the connecting IP address in the request (not the client IP address). The difference between the two is that if the client invokes the signup endpoint behind a proxy server, the proxy server’s IP address is counted towards the limit.

The default limit which is applied at the moment is 50 per min/ per tenant/ per connecting IP, the recharge rate for this limit bucket is approximately one signup per second until it’s back to 50.