Skip to content

fix: isolate rate limit counters between middleware and webhook via namespaces#6232

Open
atul-upadhyay-7 wants to merge 7 commits into
JhaSourav07:mainfrom
atul-upadhyay-7:fix/rate-limit-namespace-isolation
Open

fix: isolate rate limit counters between middleware and webhook via namespaces#6232
atul-upadhyay-7 wants to merge 7 commits into
JhaSourav07:mainfrom
atul-upadhyay-7:fix/rate-limit-namespace-isolation

Conversation

@atul-upadhyay-7

@atul-upadhyay-7 atul-upadhyay-7 commented Jun 21, 2026

Copy link
Copy Markdown
Contributor

Summary

Adds a namespace parameter to the rateLimit() function so that different route groups use independent counters, preventing cross-route rate limit interference.

Problem

The middleware (middleware.ts) and the webhook handler (app/api/webhook/route.ts) both called rateLimit(ip, ...) using the same cache key pattern ratelimit:${ip}. This meant:

  1. Normal traffic to middleware-matched routes (/api/streak, /api/github, etc.) incremented the shared counter
  2. A legitimate GitHub webhook delivery arrived, incrementing the same counter past the webhook's 10/min limit
  3. Webhook rejected with 429 — GitHub delivery delayed

An attacker could deliberately exhaust the webhook rate limit by making badge/streak API requests from the same IP.

Solution

Added a namespace parameter (default: default) to rateLimit(). Cache keys are now ratelimit:${namespace}:${ip}, so different namespaces maintain independent counters.

Route Group Namespace Limit
Middleware (API routes) api 60/min
Webhook webhook 10/min

Changes

  • lib/rate-limit.ts — Added namespace parameter to rateLimit(), updated cache key format for both memory and KV paths
  • middleware.ts — Passes namespace: api to rateLimit()
  • app/api/webhook/route.ts — Passes namespace: webhook to rateLimit()
  • lib/rate-limit.test.ts — Updated cache key assertions, added namespace isolation test

Testing

  • All 23 rate limit tests pass (including new namespace isolation test)
  • All 8 webhook tests pass
  • Lint: 0 errors
  • Typecheck: no new errors

Fixes #6134

Human Coded

@atul-upadhyay-7
fix: isolate rate limit counters between middleware and webhook via n…
0e2871c 
…amespaces

The middleware and webhook handler shared the same rate limit counter
per IP address (cache key: ratelimit:{ip}). High traffic to any
middleware-matched route (e.g., /api/streak) would exhaust the
webhook's 10/min limit, causing legitimate GitHub webhook deliveries
to be rejected with 429.

Adds a namespace parameter to rateLimit() so different route groups
use independent counters:
- Middleware uses namespace 'api' (60 req/min)
- Webhook uses namespace 'webhook' (10 req/min)

Cache keys are now: ratelimit:{namespace}:{ip}

Fixes JhaSourav07#6134

Human Coded
@vercel

vercel Bot commented Jun 21, 2026

Copy link
Copy Markdown
Contributor

@atul-upadhyay-7 is attempting to deploy a commit to the jhasourav07's projects Team on Vercel.

A member of the Team first needs to authorize it.

@github-actions github-actions Bot added the status:blocked This PR is blocked due to a failing CI check. label Jun 21, 2026
@Aamod-Dev Aamod-Dev added GSSoC 2026 mentor:Aamod007 level:advanced Complex contributions involving architecture, optimization, or significant feature work quality:clean PR follows clean coding practices, proper formatting, documentation, and maintainability standards. security bug Something isn't working labels Jun 21, 2026
Aamod-Dev
Aamod-Dev requested changes Jun 21, 2026
View reviewed changes

@Aamod-Dev Aamod-Dev left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The namespace implementation for rate limit isolation in lib/rate-limit.ts and app/api/webhook/route.ts looks robust and effectively addresses the cross-route interference. The tests in lib/rate-limit.test.ts provide great coverage. However, since the PR is currently marked as blocked, please resolve the blocking issues so we can proceed with merging.

@github-actions github-actions Bot added the type:bug Something isn't working as expected label Jun 21, 2026
@Aamod-Dev

Aamod-Dev commented Jun 22, 2026

Copy link
Copy Markdown
Collaborator

GSSoC 2025 — @Aamod007 — blocked, but also noticed a logic bug: the namespace-aware rateLimit call is added alongside the old non-namespace call in webhook/route.ts, resulting in duplicate declarations and double rate-limit calls. The old lines need to be removed.

@atul-upadhyay-7
fix: remove duplicate rate limit call and use getClientIp in webhook …
dbdd8ab 
…route

- Remove old non-namespaced rateLimit() call that was left alongside the new namespace-aware version
- Use getClientIp(req) instead of raw x-forwarded-for header
- Fixes double rate-limit counting and IP spoofing vulnerability

Fixes JhaSourav07#6134
@atul-upadhyay-7
fix: update middleware test assertions to include namespace parameter
d97c539 
The middleware passes namespace 'api' to rateLimit(), but tests expected
the old 3-argument signature. Updated all assertions to match.
@github-actions github-actions Bot removed the status:blocked This PR is blocked due to a failing CI check. label Jun 22, 2026
@github-actions

github-actions Bot commented Jun 22, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

📦 Next.js Bundle Size Report (Gzipped Sizes)

✨ No significant bundle size changes detected.

📊 Summary of Totals

Category PR Size Base Size Difference
Total JS 3859.11 KB 3859.11 KB 0 B
Total CSS 308.18 KB 308.18 KB 0 B

@github-actions github-actions Bot added the status:blocked This PR is blocked due to a failing CI check. label Jun 23, 2026
@Aamod-Dev Aamod-Dev added level:intermediate Moderate complexity tasks type:security Security fixes, dependency updates, or hardening labels Jun 23, 2026
Aamod-Dev
Aamod-Dev requested changes Jun 23, 2026
View reviewed changes

@Aamod-Dev Aamod-Dev left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hey! Isolating the rate limit counters between the middleware and webhooks via distinct namespaces is a fantastic security patch. It prevents a Denial-of-Service vector where an attacker could exhaust the webhook rate limit by spamming the middleware route. Since the Vercel CI is currently failing globally on this repository, I must request changes to keep this safely blocked. Please update when the build passes!

Aamod-Dev
Aamod-Dev approved these changes Jun 23, 2026
View reviewed changes

@Aamod-Dev Aamod-Dev left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The Vercel CI failure is a known global issue and can be ignored. Since there are no merge conflicts with main, I am officially approving this PR! Great work! 🚀

@github-actions github-actions Bot removed the status:blocked This PR is blocked due to a failing CI check. label Jun 23, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Aamod-Dev Aamod-Dev Aamod-Dev approved these changes

Assignees

No one assigned

Labels

bug Something isn't working GSSoC 2026 level:advanced Complex contributions involving architecture, optimization, or significant feature work level:intermediate Moderate complexity tasks mentor:Aamod007 quality:clean PR follows clean coding practices, proper formatting, documentation, and maintainability standards. security type:bug Something isn't working as expected type:security Security fixes, dependency updates, or hardening

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Middleware and webhook share rate limit counter causing cross-route interference

2 participants

@atul-upadhyay-7 @Aamod-Dev