fix(privacyidea): disable response signing + raise rate limit to unblock login

PI_NO_RESPONSE_SIGN=True works around Werkzeug 3.x crash where request.json
raises BadRequest on GET requests with empty bodies (sign_response path).

Rate limit raised from 20/5 to 200/100 req/min to allow the AngularJS UI's
burst of ~50 parallel static asset requests on each page load without being
throttled by Traefik. TODO: split tight /auth+/validate vs loose /static limits.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
2026-03-25 01:55:10 +00:00
parent 23e0b43318
commit c0e330ee4e
2 changed files with 10 additions and 5 deletions

View File

@@ -43,3 +43,8 @@ data:
# Scripts folder for event handlers (leave default unless customising).
PI_SCRIPT_FOLDER = "/etc/privacyidea/scripts"
# Disable response signing — sign_response crashes on GET requests with
# Werkzeug 3.x because request.json raises BadRequest for empty bodies.
# The audit keys are still used for audit log signing.
PI_NO_RESPONSE_SIGN = True