fix: Harden access controls and improve API security

[DongDuong2001]

This pull request introduces several improvements to chat API request validation, rate limiting, and error handling, as well as minor adjustments to project and cron API endpoints. The most significant changes are enhanced input validation and rate limiting for the chat API, stricter message size controls, and expanded protected API route configuration.

Chat API improvements:

• Added input validation using zod (chatRequestSchema) to strictly check incoming chat requests for required structure and limits (max messages, message length, total message characters).
• Implemented per-user rate limiting for chat requests (20 requests per minute, with lockout) to prevent abuse.
• Enforced message content truncation and total character limits in normalizeChatMessages to ensure requests stay within allowed bounds.
• Improved error handling and logging for unauthorized access, invalid requests, rate limit violations, and missing configuration [1] [2].

API route protection:

• Expanded the list of protected API paths in the middleware configuration to include user and authentication-related endpoints, enhancing security.

Other changes:

• Simplified the projects API endpoint by removing unnecessary use of the admin client, relying solely on the session client for listing accessible projects [1] [2].
• Streamlined the Supabase keepalive cron endpoint by removing unused variables and returning a simpler response [1] [2].

Summary by CodeRabbit

• New Features

  • Chat endpoint now requires user authentication and enforces per-user rate limiting

• Bug Fixes

  • Message content validation and cumulative size restrictions now enforced
  • Improved security with generic error messages

• Updates

  • Additional API routes now protected with authentication requirements

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
lab68dev-platform-1ds5	Ready	Preview, Comment	Jun 1, 2026 7:19am

[supabase]

This pull request has been ignored for the connected project xafgcrldyuapvnimoler because there are no changes detected in supabase directory. You can change this behaviour in Project Integrations Settings ↗︎.

---

Preview Branches by Supabase.
Learn more about Supabase Branching ↗︎.

[coderabbitai]

Caution

Review failed

The pull request is closed.

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: bae8216f-16d6-4e6a-a97b-d7a561b2fe60

📥 Commits

Reviewing files that changed from the base of the PR and between 31984ff and 91a79fd.

📒 Files selected for processing (4)

• app/api/chat/route.ts
• app/api/cron/supabase-keepalive/route.ts
• app/api/projects/route.ts
• lib/middleware/types.ts

---

📝 Walkthrough

Walkthrough

This PR hardens API security by enforcing authentication on the chat endpoint with rate limiting and validated request schemas, expanding the middleware's protected routes list, and simplifying client access patterns across project and cron endpoints to remove admin fallback logic and diagnostic bloat.

Changes

API Authentication and Security Hardening

Layer / File(s)	Summary
Protected routes configuration lib/middleware/types.ts	The defaultRouteConfig.protectedApiPaths array expands from 2 to 6 routes, adding /api/users, /api/auth/sessions, /api/auth/password, and /api/auth/mfa as authenticated endpoints.
Chat API authentication, validation, and rate limiting app/api/chat/route.ts	Chat endpoint enforces Supabase auth (401 if missing) and applies per-user rate limiting (429 if exceeded). Incoming requests are schema-validated with Zod for message array bounds and model selection. Message normalization enforces per-message and cumulative character size caps. User context is fetched from Supabase todos and projects, passed to Groq with a fixed temperature, output token cap, and usage logging on completion. Generic error message replaces echoed error details.
Client-only API simplifications app/api/projects/route.ts, app/api/cron/supabase-keepalive/route.ts	Projects endpoint removes admin client import and fallback logic, always using the authenticated session client. Cron keepalive endpoint simplifies query result destructuring to extract only error, dropping timing and count fields, and returns minimal { ok: true } instead of diagnostic metadata.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Poem

🐰 A rabbit's hop through auth we go,
Rate limits rise, yet sessions flow,
Schema guards each chat so bright,
Protected paths keep APIs tight!
No admin fuss, just clean and keen—
The finest APIs ever seen! 🔐✨

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix-production-api-hardening

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}