Skip to content

implement Redis-based rate limiting with fail-closed security#56

Open
mnah05 wants to merge 2 commits intoComeOnOliver:mainfrom
mnah05:main
Open

implement Redis-based rate limiting with fail-closed security#56
mnah05 wants to merge 2 commits intoComeOnOliver:mainfrom
mnah05:main

Conversation

@mnah05
Copy link
Copy Markdown

@mnah05 mnah05 commented Apr 6, 2026

Summary

Replaces the broken in-memory rate limiter with Upstash Redis for production-grade rate limiting. The previous implementation reset on each serverless invocation, allowing unlimited abuse.

Problem

  • Issue No rate limiting on API endpoints #19 documented vulnerability: 30+ rapid requests all succeeded with HTTP 200
  • No X-RateLimit-* headers present in responses
  • In-memory Map reset on each serverless cold start
  • API vulnerable to scraping and abuse

Solution

  • Redis-based storage: Uses Upstash Redis with INCR/EXPIRE for persistent rate tracking
  • Fail-closed security: Returns 503 if Redis unavailable (instead of allowing unlimited traffic)
  • Standard headers: X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Reset
  • Proper errors: Returns 429 with Retry-After header when limit exceeded

mnah05 added 2 commits April 7, 2026 03:40
@mnah05
fix: implement Redis-based rate limiting with fail-closed security
7f0103d 
Replace in-memory rate limiter with Upstash Redis for production persistence.

Changes:
- Add @upstash/redis dependency for distributed rate limiting
- Replace Map-based storage with Redis INCR/EXPIRE operations
- Implement fail-closed: return 503 if Redis unavailable (security)
- Add standard rate limit headers: X-RateLimit-Limit, Remaining, Reset
- Return 429 with Retry-After when limit exceeded

Closes ComeOnOliver#15
@mnah05
fix: add missing newline at end of LICENSE.txt
08e9beb
@mnah05 mnah05 requested a review from ComeOnOliver as a code owner April 6, 2026 22:15
@vercel
Copy link
Copy Markdown

vercel Bot commented Apr 6, 2026

@mnah05 is attempting to deploy a commit to the Pengzhou AI CLUB Team on Vercel.

A member of the Team first needs to authorize it.

@github-actions github-actions Bot added webapp Web app changes api API changes labels Apr 6, 2026
@mnah05
Copy link
Copy Markdown
Author

mnah05 commented Apr 7, 2026

@ComeOnOliver just checking if you have reviewed this?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ComeOnOliver ComeOnOliver Awaiting requested review from ComeOnOliver ComeOnOliver is a code owner

Assignees

No one assigned

Labels

api API changes webapp Web app changes

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@mnah05