chore: system wide ratelimit per path (calcom#25080)

* chore: Add system wide rate limiting

* Handle and convert HttpError to 429

* Make algo 32-bit to prevent <ES2020 error + fix sms manager unit test

* Change core to common to go from 10 requests per minute to 200

* Remove redundant function

* Fix integration tests

* Make sure we allow all legal POST routes

* Allow tRPC post calls

* Add matcher tests on middleware

* Add matcher tests on middleware

* Fix matcher to not use regex

* Fix missing POST allow rule for /api/auth/callback/credentials

* Missed the api/book/event endpoints

* Add missing pages/api routes

* Remove POST middleware for now, very risky

* Remove tests for POST protection

---------

Co-authored-by: Volnei Munhoz <volnei.munhoz@gmail.com>

Author: emrysal

apps/web/middleware.test.ts

@@ -9,13 +9,15 @@ import { WEBAPP_URL } from "@calcom/lib/constants";
 import { checkPostMethod } from "./middleware";
 // We'll test the wrapped middleware as it would be used in production
 import middleware from "./middleware";
+import { config } from "./middleware";
 
 // Mock dependencies at module level
 vi.mock("@vercel/edge-config", () => ({
   get: vi.fn(),
 }));
 
 vi.mock("next-collect/server", () => ({
+  // eslint-disable-next-line @typescript-eslint/no-explicit-any
   collectEvents: vi.fn((config: any) => config.middleware),
 }));
 
@@ -29,11 +31,13 @@ vi.mock("next/server", async () => {
   const actual = await vi.importActual<typeof import("next/server")>("next/server");
 
   // Create a NextResponse constructor that returns Response objects
+  // eslint-disable-next-line @typescript-eslint/no-explicit-any
   const NextResponse = function (body: any, init?: ResponseInit) {
     return new Response(body, init);
   };
 
   // Add static methods
+  // eslint-disable-next-line @typescript-eslint/no-explicit-any
   NextResponse.json = (body: any, init?: ResponseInit) => {
     return new Response(JSON.stringify(body), {
       ...init,
@@ -55,6 +59,7 @@ vi.mock("next/server", async () => {
     });
 
     // Add cookies property
+    // eslint-disable-next-line @typescript-eslint/no-explicit-any
     (response as any).cookies = {
       delete: vi.fn(),
       set: vi.fn(),
@@ -91,6 +96,7 @@ vi.mock("next/server", async () => {
     });
 
     // Add cookies property
+    // eslint-disable-next-line @typescript-eslint/no-explicit-any
     (response as any).cookies = {
       delete: vi.fn(),
       set: vi.fn(),
@@ -128,6 +134,7 @@ const createTestRequest = (overrides?: {
   return req;
 };
 
+// eslint-disable-next-line @typescript-eslint/no-explicit-any
 const createEdgeConfigMock = (config: Record<string, any>) => {
   return (key: string) => {
     if (key in config) return Promise.resolve(config[key]);
@@ -147,6 +154,7 @@ const expectStatus = (res: Response, status: number) => {
 
 // Wrapper for middleware calls to handle type casting
 const callMiddleware = async (req: NextRequest): Promise<Response> => {
+  // eslint-disable-next-line @typescript-eslint/no-explicit-any
   return (await (middleware as any)(req)) as Response;
 };
 
@@ -165,15 +173,6 @@ describe("Middleware - POST requests restriction", () => {
     expect(res1).toBeNull();
   });
 
-  it("should block POST requests to not-allowed app routes", async () => {
-    const req = createRequest("/team/xyz", "POST");
-    const res = checkPostMethod(req);
-    expect(res).not.toBeNull();
-    expect(res?.status).toBe(405);
-    expect(res?.statusText).toBe("Method Not Allowed");
-    expect(res?.headers.get("Allow")).toBe("GET");
-  });
-
   it("should allow GET requests to app routes", async () => {
     const req = createRequest("/team/xyz", "GET");
     const res = checkPostMethod(req);
@@ -213,29 +212,6 @@ describe("Middleware Integration Tests", () => {
     });
   });
 
-  describe("POST Method Protection", () => {
-    it("should allow POST to /api/auth/signup", async () => {
-      const req = createTestRequest({
-        url: `${WEBAPP_URL}/api/auth/signup`,
-        method: "POST",
-      });
-
-      const res = await callMiddleware(req);
-      expectStatus(res, 200);
-    });
-
-    it("should block POST to regular routes", async () => {
-      const req = createTestRequest({
-        url: `${WEBAPP_URL}/team/test`,
-        method: "POST",
-      });
-
-      const res = await callMiddleware(req);
-      expectStatus(res, 405);
-      expect(getHeader(res, "Allow")).toBe("GET");
-    });
-  });
-
   describe("Maintenance Mode", () => {
     it("should redirect to maintenance when enabled", async () => {
       (edgeConfigGet as Mock).mockImplementation(
@@ -430,22 +406,6 @@ describe("Middleware Integration Tests", () => {
   });
 
   describe("Multiple Features", () => {
-    it("should handle POST protection before maintenance mode", async () => {
-      (edgeConfigGet as Mock).mockImplementation(
-        createEdgeConfigMock({
-          isInMaintenanceMode: true,
-        })
-      );
-
-      const req = createTestRequest({
-        url: `${WEBAPP_URL}/team/test`,
-        method: "POST",
-      });
-
-      const res = await callMiddleware(req);
-      // POST protection should trigger first
-      expectStatus(res, 405);
-    });
 
     it("should handle embed route with routing forms rewrite", async () => {
       const req = createTestRequest({
@@ -483,3 +443,67 @@ describe("Middleware Integration Tests", () => {
     });
   });
 });
+
+describe("Middleware Matcher - Comprehensive Coverage", () => {
+  const matcher = config.matcher[0];
+  const pattern = matcher.replace(/^\/|\/$/g, "");
+  const regex = new RegExp(`^/${pattern}`);
+
+  const cases = [
+    // pages & apis
+    { path: "/", expected: true, reason: "Root page" },
+    { path: "/home", expected: true, reason: "Regular page" },
+    { path: "/team/abc", expected: true, reason: "Nested page" },
+    { path: "/api/auth/login", expected: true, reason: "API route" },
+    { path: "/api/bookings", expected: true, reason: "Top-level API" },
+    { path: "/dashboard/settings", expected: true, reason: "Deep nested page" },
+    { path: "/user/john/profile", expected: true, reason: "Multiple nested path" },
+    { path: "/apps/routing_forms/form", expected: true, reason: "App page under /apps" },
+    { path: "/embed?ui.color-scheme=dark", expected: true, reason: "Embed query param" },
+
+    // should be ignored (internal / static / public)
+    { path: "/_next/static/chunks/app.js", expected: false, reason: "Internal static asset" },
+    { path: "/_next/image?url=%2Flogo.png&w=256&q=75", expected: false, reason: "Internal image handler" },
+    { path: "/_next/data/build-id/page.json", expected: false, reason: "Next.js data route" },
+    { path: "/favicon.ico", expected: false, reason: "Favicon asset" },
+    { path: "/robots.txt", expected: false, reason: "Robots file" },
+    { path: "/sitemap.xml", expected: false, reason: "Sitemap file" },
+    { path: "/public/images/logo.png", expected: false, reason: "Public folder asset" },
+    { path: "/public/fonts/inter.woff2", expected: false, reason: "Public folder font" },
+    { path: "/static/js/main.js", expected: false, reason: "Static folder JavaScript" },
+    { path: "/static/css/app.css", expected: false, reason: "Static folder stylesheet" },
+
+    // edge cases
+    { path: "/manifest.json", expected: true, reason: "Manifest is a public page, not ignored" },
+    { path: "/_nextsomething", expected: true, reason: "Looks like _next but not reserved" },
+    { path: "/nextconfig", expected: true, reason: "Normal route with 'next' in name" },
+    { path: "/_NEXT/image", expected: true, reason: "Case-sensitive test (should match)" },
+    { path: "/favicon-abc.ico", expected: true, reason: "Favicon variant should still match" },
+    { path: "/robots-custom.txt", expected: true, reason: "Custom robots file should match" },
+    { path: "/sitemap-other.xml", expected: true, reason: "Custom sitemap file should match" },
+    { path: "/api_", expected: true, reason: "Partial match with api underscore" },
+    { path: "//double-slash", expected: true, reason: "Double slash URL" },
+    { path: "/_next", expected: false, reason: "Bare _next path" },
+  ];
+
+  it("should match only the intended routes", () => {
+    for (const { path, expected, reason } of cases) {
+      const result = regex.test(path);
+      expect(result, `${path} → ${reason}`).toBe(expected);
+    }
+  });
+
+  it("should not accidentally match internal Next.js routes", () => {
+    const internalPaths = ["/_next/static", "/_next/image", "/_next/data"];
+    for (const path of internalPaths) {
+      expect(regex.test(path)).toBe(false);
+    }
+  });
+
+  it("should match all user-facing routes and APIs", () => {
+    const publicPaths = ["/", "/api/user", "/settings", "/dashboard"];
+    for (const path of publicPaths) {
+      expect(regex.test(path)).toBe(true);
+    }
+  });
+});

apps/web/middleware.ts

@@ -3,19 +3,74 @@ import { collectEvents } from "next-collect/server";
 import type { NextRequest } from "next/server";
 import { NextResponse } from "next/server";
 
+import { checkRateLimitAndThrowError } from "@calcom/lib/checkRateLimitAndThrowError";
+import getIP from "@calcom/lib/getIP";
+import { HttpError } from "@calcom/lib/http-error";
+import { piiHasher } from "@calcom/lib/server/PiiHasher";
 import { extendEventData, nextCollectBasicSettings } from "@calcom/lib/telemetry";
 
 import { getCspHeader, getCspNonce } from "@lib/csp";
 
+// eslint-disable-next-line @typescript-eslint/no-explicit-any
 const safeGet = async <T = any>(key: string): Promise<T | undefined> => {
   try {
     return get<T>(key);
-  } catch (error) {
+  } catch {
     // Don't crash if EDGE_CONFIG env var is missing
   }
 };
 
-export const POST_METHODS_ALLOWED_API_ROUTES = ["/api/auth/signup"];
+export const POST_METHODS_ALLOWED_API_ROUTES = [
+  "/api/auth/forgot-password",
+  "/api/auth/oauth/me",
+  "/api/auth/oauth/refreshToken",
+  "/api/auth/oauth/token",
+  "/api/auth/reset-password",
+  "/api/auth/saml/callback",
+  "/api/auth/saml/token",
+  "/api/auth/setup",
+  "/api/auth/signup",
+  "/api/auth/two-factor/totp/disable",
+  "/api/auth/two-factor/totp/enable",
+  "/api/auth/two-factor/totp/setup",
+  "/api/auth/session",
+  "/api/availability/calendar",
+  "/api/cancel",
+  "/api/cron/bookingReminder",
+  "/api/cron/calendar-cache-cleanup",
+  "/api/cron/changeTimeZone",
+  "/api/cron/checkSmsPrices",
+  "/api/cron/downgradeUsers",
+  "/api/cron/monthlyDigestEmail",
+  "/api/cron/syncAppMeta",
+  "/api/cron/webhookTriggers",
+  "/api/cron/workflows/scheduleEmailReminders",
+  "/api/cron/workflows/scheduleSMSReminders",
+  "/api/cron/workflows/scheduleWhatsappReminders",
+  "/api/get-inbound-dynamic-variables",
+  "/api/integrations/", // for /api/integrations/[...args] and webhooks
+  "/api/recorded-daily-video",
+  "/api/router",
+  "/api/routing-forms/queued-response",
+  "/api/scim/v2.0/", // /api/scim/v2.0/[...directory]
+  "/api/support/conversation",
+  "/api/sync/helpscout",
+  "/api/twilio/webhook",
+  "/api/username",
+  "/api/verify-booking-token",
+  "/api/video/guest-session",
+  "/api/webhook/app-credential",
+  "/api/webhooks/calendar-subscription/", // /api/webhooks/calendar-subscription/[provider]
+  "/api/webhooks/retell-ai",
+  "/api/workflows/sms/user-response",
+  "/api/trpc/", // for tRPC
+  "/api/auth/callback/", // for NextAuth
+  "/api/book/event",
+  "/api/book/instant-event",
+  "/api/book/recurring-event",
+  "/availability",
+];
+
 export function checkPostMethod(req: NextRequest) {
   const pathname = req.nextUrl.pathname;
   if (!POST_METHODS_ALLOWED_API_ROUTES.some((route) => pathname.startsWith(route)) && req.method === "POST") {
@@ -30,14 +85,6 @@ export function checkPostMethod(req: NextRequest) {
   return null;
 }
 
-export function checkStaticFiles(pathname: string) {
-  const hasFileExtension = /\.(svg|png|jpg|jpeg|gif|webp|ico)$/.test(pathname);
-  // Skip Next.js internal paths (_next) and static assets
-  if (pathname.startsWith("/_next") || hasFileExtension) {
-    return NextResponse.next();
-  }
-}
-
 const isPagePathRequest = (url: URL) => {
   const isNonPagePathPrefix = /^\/(?:_next|api)\//;
   const isFile = /\..*$/;
@@ -50,11 +97,21 @@ const shouldEnforceCsp = (url: URL) => {
 };
 
 const middleware = async (req: NextRequest): Promise<NextResponse<unknown>> => {
-  const postCheckResult = checkPostMethod(req);
-  if (postCheckResult) return postCheckResult;
+  const requestorIp = getIP(req);
+  try {
+    await checkRateLimitAndThrowError({
+      rateLimitingType: "common",
+      identifier: `${req.nextUrl.pathname}-${piiHasher.hash(requestorIp)}`,
+    });
+  } catch (error) {
+    if (error instanceof HttpError) {
+      return new NextResponse(error.message, { status: error.statusCode });
+    }
+    throw error;
+  }
 
-  const isStaticFile = checkStaticFiles(req.nextUrl.pathname);
-  if (isStaticFile) return isStaticFile;
+  // const postCheckResult = checkPostMethod(req);
+  // if (postCheckResult) return postCheckResult;
 
   const url = req.nextUrl;
   const reqWithEnrichedHeaders = enrichRequestWithHeaders({ req });
@@ -168,22 +225,7 @@ function enrichRequestWithHeaders({ req }: { req: NextRequest }) {
 }
 
 export const config = {
-  // Next.js Doesn't support spread operator in config matcher, so, we must list all paths explicitly here.
-  // https://github.com/vercel/next.js/discussions/42458
-  // WARNING: DO NOT ADD AN ENDING SLASH "/" TO THE PATHS BELOW
-  // THIS WILL MAKE THEM NOT MATCH AND HENCE NOT HIT MIDDLEWARE
-  matcher: [
-    // Routes to enforce CSP
-    "/auth/login",
-    "/login",
-    // Routes to set cookies
-    "/apps/installed",
-    "/auth/logout",
-    // Embed Routes,
-    "/:path*/embed",
-    // API routes
-    "/api/auth/signup",
-  ],
+  matcher: ["/((?!_next(?:/|$)|static(?:/|$)|public(?:/|$)|favicon\\.ico$|robots\\.txt$|sitemap\\.xml$).*)"],
 };
 
 export default collectEvents({

packages/features/ee/workflows/lib/reminders/providers/twilioProvider.ts

@@ -2,7 +2,7 @@ import type { NextRequest } from "next/server";
 import TwilioClient from "twilio";
 import { v4 as uuidv4 } from "uuid";
 
-import { checkSMSRateLimit } from "@calcom/lib/checkRateLimitAndThrowError";
+import { checkSMSRateLimit } from "@calcom/lib/smsLockState";
 import { WEBAPP_URL } from "@calcom/lib/constants";
 import logger from "@calcom/lib/logger";
 import { setTestSMS } from "@calcom/lib/testSMS";
@@ -85,6 +85,7 @@ export const sendSMS = async ({
   }
 
   if (isWhatsapp) {
+    // eslint-disable-next-line @typescript-eslint/no-explicit-any
     const messageOptions: any = {
       contentSid: contentSid,
       to: getSMSNumber(phoneNumber, isWhatsapp),
@@ -172,6 +173,7 @@ export const scheduleSMS = async ({
   }
 
   if (isWhatsapp) {
+    // eslint-disable-next-line @typescript-eslint/no-explicit-any
     const messageOptions: any = {
       contentSid: contentSid,
       to: getSMSNumber(phoneNumber, isWhatsapp),
@@ -225,7 +227,7 @@ export const verifyNumber = async (phoneNumber: string, code: string) => {
         .services(process.env.TWILIO_VERIFY_SID)
         .verificationChecks.create({ to: phoneNumber, code: code });
       return verification_check.status;
-    } catch (e) {
+    } catch {
       return "failed";
     }
   }
@@ -265,7 +267,7 @@ async function isLockedForSMSSending(userId?: number | null, teamId?: number | n
       (membership) => membership.team.smsLockState === SMSLockState.LOCKED
     );
 
-    if (!!memberOfLockedTeam) {
+    if (memberOfLockedTeam) {
       return true;
     }
 

packages/features/ee/workflows/lib/reminders/reminderScheduler.ts

@@ -11,7 +11,7 @@ import * as twilio from "@calcom/features/ee/workflows/lib/reminders/providers/t
 import type { Workflow, WorkflowStep } from "@calcom/features/ee/workflows/lib/types";
 import { getSubmitterEmail } from "@calcom/features/tasker/tasks/triggerFormSubmittedNoEvent/formSubmissionValidation";
 import { UserRepository } from "@calcom/features/users/repositories/UserRepository";
-import { checkSMSRateLimit } from "@calcom/lib/checkRateLimitAndThrowError";
+import { checkSMSRateLimit } from "@calcom/lib/smsLockState";
 import { SENDER_NAME } from "@calcom/lib/constants";
 import { formatCalEventExtended } from "@calcom/lib/formatCalendarEvent";
 import { withReporting } from "@calcom/lib/sentryWrapper";