Skip to content

fix(job-alerts): rate-limit the public subscribe endpoint#113

Merged
RikepilB merged 1 commit into
mainfrom
fix/rate-limit-job-alerts
Jul 8, 2026
Merged

fix(job-alerts): rate-limit the public subscribe endpoint#113
RikepilB merged 1 commit into
mainfrom
fix/rate-limit-job-alerts

Conversation

@RikepilB

@RikepilB RikepilB commented Jul 2, 2026

Copy link
Copy Markdown
Owner

Closes an open P0 from docs/SECURITY-AUDIT.md ("Public routes" row): POST /api/public/job-alerts had no rate limit, unlike the sibling application-submit endpoints which already use src/lib/rate-limit.ts.

What

  • Applied the same per-IP fixed-window limiter (10/min) used by the application-submit routes.
  • Over-limit requests get 429 + Retry-After, matching the existing pattern in src/app/api/public/jobs/[slug]/applications/route.ts.
  • GET (unsubscribe) is left as-is — it's token-scoped, not a comparable abuse surface.

Testing

  • 3 new cases in route.test.ts: allowed under limit, 429+Retry-After once exceeded, limits tracked independently per IP.
  • pnpm lint / pnpm typecheck — clean.
  • pnpm test -- --run — 209/209 pass.

Known limitation carried over from the existing limiter (documented in src/lib/rate-limit.ts): in-memory, per-instance, resets on cold start. Fine for the current single-instance deployment; noted as a scale-up item, not blocking here.

POST /api/public/job-alerts had no rate limit, unlike the sibling
application-submit endpoints — flagged as an open P0 in
docs/SECURITY-AUDIT.md ("Public routes" / rate limiting).

Reuses the existing per-IP fixed-window limiter from
src/lib/rate-limit.ts (same 10/min shape as the application submit
routes). Unauthenticated GET /unsubscribe is token-scoped and left
as-is.

Tests: 3 new cases (under limit, 429+Retry-After over limit,
per-IP isolation). 209/209 pass.
@vercel

vercel Bot commented Jul 2, 2026

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
scoutlane Ready Ready Preview, Comment Jul 2, 2026 12:12am

@coderabbitai

coderabbitai Bot commented Jul 2, 2026

Copy link
Copy Markdown

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: ea52f1dc-44ae-4ea0-bfed-cbb385ed5cec

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

  • 🔍 Trigger review
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch fix/rate-limit-job-alerts

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@RikepilB RikepilB merged commit 1ae2940 into main Jul 8, 2026
4 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant