fix: limit retriable hook status codes

[eduardoboucas]

Stop retrying hook calls on status codes other than 429 and 5xx. Also adds a basic backoff.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 926bc471-9871-4813-b66d-cfa0345a0923

📥 Commits

Reviewing files that changed from the base of the PR and between 7486761 and bdb6b1d.

📒 Files selected for processing (1)

• api/hooks.go

---

📝 Walkthrough

Summary by CodeRabbit

• Bug Fixes

  • Improved webhook retry behavior with exponential backoff between attempts.
  • Rate-limiting (429) and server (5xx) responses are properly retried until success.
  • Non-retriable client errors (4xx) fail immediately to avoid unnecessary retries.

• Tests

  • Added tests covering non-retriable 4xx behavior and retrying on 429 until success.

Walkthrough

The PR modifies webhook retry logic in the gotrue authentication service to improve resilience. The implementation layer introduces exponential backoff delays before each retry attempt and classifies HTTP responses into retriable (429, 5xx) and non-retriable categories. Non-retriable responses immediately return an error, while retriable responses continue the retry loop. The test layer validates this behavior with three test cases: one confirming retriable 503 responses retry until success, one confirming non-retriable 400 responses fail immediately, and one confirming 429 responses retry until success.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly describes the main change: limiting retriable webhook status codes to only 429 and 5xx responses, which aligns with the core purpose of the pull request.
Description check	✅ Passed	The description directly relates to the changeset, explaining that hook retries are now limited to 429 and 5xx status codes, and that exponential backoff has been added.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feat/hook-retry

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 golangci-lint (2.12.2)

Error: can't load config: unsupported version of the configuration: "" See https://golangci-lint.run/docs/product/migration-guide for migration instructions
The command is terminated due to an error: can't load config: unsupported version of the configuration: "" See https://golangci-lint.run/docs/product/migration-guide for migration instructions

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@api/hooks.go`:
- Around line 142-148: The response body (rsp.Body) isn't closed on the failure
paths: ensure you explicitly close the response before retrying or
returning—i.e., before the "continue" for retriable responses and before the
"return" for non-retriable responses in the webhook handling block; call
rsp.Body.Close() (guarding for non-nil) and optionally drain the body
(io.Copy(ioutil.Discard, rsp.Body)) to reuse connections, instead of deferring
inside the loop. This change touches the webhook response handling logic around
the rsp variable.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 244c8307-6aa4-4c4d-add3-4d285605ad91

📥 Commits

Reviewing files that changed from the base of the PR and between 30e9d81 and 7486761.

📒 Files selected for processing (2)

• api/hook_test.go
• api/hooks.go

[ndhoule]

Looks great! Thanks very much for these fixes ❤️