From 85e37e05d21cd29672c8a01b6a892503f8d7d3ae Mon Sep 17 00:00:00 2001
From: Joshua Rogers <MegaManSec@users.noreply.github.com>
Date: Fri, 31 Oct 2025 13:11:55 +0800
Subject: [PATCH] fix(rest): tolerate malformed `x-ratelimit-reset` in 429
 handling

`Response.content()` cast the `x-ratelimit-reset` header to int without validation.
If a 429 response included a non-integer (or garbage) value, `int()` raised
ValueError and the call crashed instead of raising a structured `RateLimitError`.
Parse defensively and fall back to `-1` when missing/malformed so clients always
receive `RateLimitError` as intended.

Signed-off-by: Joshua Rogers <MegaManSec@users.noreply.github.com>
---
 auth0/rest.py | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/auth0/rest.py b/auth0/rest.py
index a2d9bd9a..2a7f448d 100644
--- a/auth0/rest.py
+++ b/auth0/rest.py
@@ -284,7 +284,11 @@ def __init__(
     def content(self) -> Any:
         if self._is_error():
             if self._status_code == 429:
-                reset_at = int(self._headers.get("x-ratelimit-reset", "-1"))
+                raw_reset = self._headers.get("x-ratelimit-reset")
+                try:
+                    reset_at = int(raw_reset) if raw_reset is not None else -1
+                except (ValueError, TypeError):
+                    reset_at = -1
                 raise RateLimitError(
                     error_code=self._error_code(),
                     message=self._error_message(),