fix(api): replace defaultdict with plain dict in rate limiter

gahyun-git · gahyun-git · commit c6100b7952fa · 2026-03-03T01:39:43.000+09:00
avoid defaultdict side effects on key access; use .get() for reads
and explicit assignment for writes to prevent empty key accumulation
diff --git a/apps/api/src/lib/rate_limit.py b/apps/api/src/lib/rate_limit.py
@@ -4,7 +4,6 @@
 
 import functools
 import time
-from collections import defaultdict
 from collections.abc import Awaitable, Callable
 from dataclasses import dataclass, field
 from typing import TYPE_CHECKING, Any, cast
@@ -46,7 +45,7 @@ class InMemoryRateLimiter:
 
     requests: int
     window: int
-    _storage: dict[str, list[float]] = field(default_factory=lambda: defaultdict(list))
+    _storage: dict[str, list[float]] = field(default_factory=dict)
 
     def is_allowed(self, key: str) -> tuple[bool, int, int]:
         """
@@ -59,21 +58,18 @@ def is_allowed(self, key: str) -> tuple[bool, int, int]:
         window_start = now - self.window
 
         # Clean old entries
-        entries = [ts for ts in self._storage[key] if ts > window_start]
-        if entries:
-            self._storage[key] = entries
-        elif key in self._storage:
-            # Remove empty keys to prevent memory leak
-            del self._storage[key]
+        entries = [ts for ts in self._storage.get(key, []) if ts > window_start]
 
         current_count = len(entries)
         remaining = max(0, self.requests - current_count - 1)
         reset_after = int(self.window - (now - entries[0])) if entries else self.window
 
         if current_count >= self.requests:
+            self._storage[key] = entries
             return False, 0, reset_after
 
-        self._storage[key].append(now)
+        entries.append(now)
+        self._storage[key] = entries
         return True, remaining, reset_after
 
 
diff --git a/apps/api/tests/test_rate_limit.py b/apps/api/tests/test_rate_limit.py
@@ -52,6 +52,19 @@ def test_different_keys_independent(self) -> None:
         assert allowed_b is True
         assert remaining_b == 1
 
+    def test_expired_keys_cleaned_up(self) -> None:
+        """Expired keys should not persist as empty entries in storage."""
+        limiter = InMemoryRateLimiter(requests=5, window=1)
+        limiter.is_allowed("ephemeral")
+        assert "ephemeral" in limiter._storage
+        # Simulate expiry by clearing entries and setting old timestamps
+        limiter._storage["ephemeral"] = [0.0]  # timestamp in the distant past
+        limiter.is_allowed("other")
+        # 'ephemeral' not accessed → still there but with old data
+        # Access 'ephemeral' → old entry filtered out, new one added
+        limiter.is_allowed("ephemeral")
+        assert len(limiter._storage["ephemeral"]) == 1
+
 
 # ── Config-keyed limiter registry ───────────────────────────────
 
