Skip to content

security: add rate limiting to /api/user/:username endpoint (#222)#230

Merged
jagdish-15 merged 1 commit into
codepvg:mainfrom
rishab11250:feature/rate-limit-api-issue222
Jun 21, 2026
Merged

security: add rate limiting to /api/user/:username endpoint (#222)#230
jagdish-15 merged 1 commit into
codepvg:mainfrom
rishab11250:feature/rate-limit-api-issue222

Conversation

@rishab11250

@rishab11250 rishab11250 commented Jun 20, 2026

Copy link
Copy Markdown
Contributor

Description

Adds rate limiting to the /api/user/:username endpoint using express-rate-limit v8.5.2. Caps requests at 30 per minute per IP (configurable via API_RATE_LIMIT env var) to prevent abuse, protect Render.com free tier resources, and shield the downstream LeetCode API wrapper from excessive calls.

Linked Issue

Fixes #222

Changes Made

  • Installed express-rate-limit as a production dependency
  • Set app.set("trust proxy", 1) so req.ip returns the real client IP behind Render.com's reverse proxy
  • Created an apiLimiter with a 1-minute window, 30 max requests, modern RateLimit-* headers, a custom Retry-After header, and a JSON error response { "error": "Rate limit exceeded", "retryAfter": 60 }
  • Applied the limiter to /api/user/:username via app.use() before the route handler

Type of Change

  • Bug fix
  • New feature
  • UI/Visual update
  • Documentation update
  • Refactor

Testing

  • Tested locally
  • Tested on mobile viewport (if applicable)
  • No console errors introduced
  • Verified with node --check server.js and npx prettier --check server.js

Checklist

  • My code follows the project's coding style
  • I have formatted my code locally by running npx prettier --write . before submitting
  • I am submitting my PR from a dedicated feature/* branch, not the main branch
  • I have performed a self-review of my code
  • My changes generate no new warnings or errors
  • I have updated documentation if required
  • I have linked the relevant issue

Screenshots / Screen Recording

N/A — backend-only security change, no UI impact.

@rishab11250
security: add rate limiting to /api/user/:username endpoint (codepvg#222
effe6db 
)

Install express-rate-limit v8.5.2 and apply a rate limiter (30 req/min per IP, configurable via API_RATE_LIMIT env var) to the API endpoint. Also sets trust proxy for correct client IP detection behind Render.com's reverse proxy. Returns Retry-After header and JSON error on 429.
@github-actions

github-actions Bot commented Jun 20, 2026

Copy link
Copy Markdown
Contributor

Thank you for submitting a pull request.

Please ensure your changes comply with the project's contribution guidelines and that all workflow checks pass successfully.

Formatting and Branching

  • Please confirm you have formatted your code locally using npx prettier --write ., or you can simply comment /format on this PR to have our bot do it for you!
  • Ensure this PR is made from a feature/* branch and not main.

Note: This project is currently maintained by a solo maintainer, so reviews and responses may sometimes take a little time. Thanks for your patience.

@jagdish-15 jagdish-15 merged commit 40c593a into codepvg:main Jun 21, 2026
2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jagdish-15 jagdish-15 jagdish-15 approved these changes

Assignees

No one assigned

Labels

gssoc:approved level:intermediate Indicates the difficulty type:security

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Security: Add rate limiting to /api/user/:username endpoint

2 participants

@rishab11250 @jagdish-15