Anonymous: Add configurable device limit

[ShashankFC]

User description

Test 1nn

Summary by CodeRabbit

Release Notes

• New Features
  • Added a new configurable anonymous device limit setting that allows fine-grained control over the maximum number of devices permitted to register with anonymous authentication
  • When the configured limit is reached, further registration attempts are automatically rejected and an appropriate error is returned to the requesting client

_{✏️ Tip: You can customize this high-level summary in your review settings.}

nn---n*Replicated from [ai-code-review-evaluation/grafana-coderabbit#1](https://github.com/ai-code-review-evaluation/grafana-coderabbit/pull/1)*

---

CodeAnt-AI Description

Add configurable anonymous device limit and enforce it during anonymous sign-in

What Changed

• Frontend now exposes a configurable anonymous device limit setting so the UI can show the current quota.
• When the configured device limit is reached, new anonymous device registrations are rejected; only existing devices are updated.
• Anonymous authentication now fails when a new device would exceed the limit, preventing additional anonymous sessions from being created.
• Device listing and metrics use a fixed 30-day window for "last seen" calculations; unit and integration tests added/updated to cover the limit behavior.

Impact

✅ Fewer anonymous device registrations beyond quota
✅ Clearer frontend device limit visibility
✅ Rejected anonymous logins when device quota is full

💡 Usage Guide

Checking Your Pull Request

Every time you make a pull request, our system automatically looks through it. We check for security issues, mistakes in how you're setting up your infrastructure, and common code problems. We do this to make sure your changes are solid and won't cause any trouble later.

Talking to CodeAnt AI

Got a question or need a hand with something in your pull request? You can easily get in touch with CodeAnt AI right here. Just type the following in a comment on your pull request, and replace "Your question here" with whatever you want to ask:

@codeant-ai ask: Your question here

This lets you have a chat with CodeAnt AI about your pull request, making it easier to understand and improve your code.

Example

@codeant-ai ask: Can you suggest a safer alternative to storing this secret?

Preserve Org Learnings with CodeAnt

You can record team preferences so CodeAnt AI applies them in future reviews. Reply directly to the specific CodeAnt AI suggestion (in the same thread) and replace "Your feedback here" with your input:

@codeant-ai: Your feedback here

This helps CodeAnt AI learn and adapt to your team's coding style and standards.

Example

@codeant-ai: Do not flag unused imports.

Retrigger review

Ask CodeAnt AI to review the PR again, by typing:

@codeant-ai: review

Check Your Repository Health

To analyze the health of your code repository, visit our dashboard at https://app.codeant.ai. This tool helps you identify potential issues and areas for improvement in your codebase, ensuring your repository maintains high standards of code health.

[ShashankFC]

@CodeAnt-AI: review

[codeant-ai]

CodeAnt AI is running the review.

[codeant-ai]

Sequence Diagram

Shows how anonymous authentication now attempts to tag a device synchronously and how the new device limit in the DB store can block registration — returning an error that prevents anonymous login when the limit is reached.

sequenceDiagram
    participant Client
    participant AnonymousAuth as Anonymous (authn)
    participant AnonDeviceSvc as AnonDeviceService
    participant AnonDB as AnonDBStore

    Client->>AnonymousAuth: Authenticate anonymous request
    AnonymousAuth->>AnonDeviceSvc: TagDevice(ctx, request)
    AnonDeviceSvc->>AnonDB: CreateOrUpdateDevice(device)
    alt device count < limit
        AnonDB-->>AnonDeviceSvc: Success (insert/update)
        AnonDeviceSvc-->>AnonymousAuth: Tagging succeeded
        AnonymousAuth-->>Client: Return anonymous identity (login success)
    else device count >= limit
        AnonDB-->>AnonDeviceSvc: ErrDeviceLimitReached
        AnonDeviceSvc-->>AnonymousAuth: Propagate ErrDeviceLimitReached
        AnonymousAuth-->>Client: Return error (authentication rejected)

Loading

---

Generated by CodeAnt AI

[codeant-ai]

Nitpicks 🔍

🔒 No security issues identified

⚡ Recommended areas for review DB compatibility The new update path (updateDevice) uses ? placeholders unconditionally while the rest of the file (CreateOrUpdateDevice) explicitly uses DB-specific placeholder styles for Postgres/MySQL/SQLite. This can cause driver/placeholder mismatches (especially around Postgres RETURNING/$n placeholders) or unpredictable behavior across DB backends. Prefer constructing the update query per DB driver (or using the same SQL builder/placeholder translation used elsewhere). Blocking call The anonymous authentication flow now calls TagDevice synchronously using the request context. A slow DB or network call inside TagDevice (CreateOrUpdateDevice) can delay or time out authentication. Previously tagging was done in a goroutine with a timeout, avoiding stalls. Consider whether the auth path should be made non-blocking or bounded with a timeout while still ensuring the device-limit error is surfaced to callers. Breaking API The provider function signature changed from ProvideAnonDBStore(sqlStore db.DB) to ProvideAnonDBStore(sqlStore db.DB, deviceLimit int64). That is a breaking change for any callers/DI registration sites not updated in this PR. Ensure all call sites are updated or provide a backward-compatible wrapper. Limit semantics When the device limit is reached, CreateOrUpdateDevice calls updateDevice which only updates rows whose updated_at is within [now - expiration, now + 1 minute]. This means existing devices older than the expiration window cannot be replaced/updated when the limit is hit, and the call returns ErrDeviceLimitReached. Confirm this is intended — it may block legitimate updates (or replacing stale entries) and can be surprising. Env Override Missing The new anonymous settings are read from iniFile.Section("auth.anonymous") directly. Other auth-related readers use cfg.SectionWithEnvOverrides(...) to allow environment variable overrides; using the raw ini section here may prevent environment-based overrides and is inconsistent with the rest of the codebase.

[codeant-ai]

CodeAnt AI finished running the review.

[github-actions]

This pull request has been automatically marked as stale because it has not had activity in the last 30 days. It will be closed in 2 weeks if no further activity occurs. Please feel free to give a status update or ping for review. Thank you for your contributions!

[github-actions]

This pull request has been automatically closed because it has not had any further activity in the last 2 weeks. Thank you for your contributions!