This repository was archived by the owner on Mar 2, 2026. It is now read-only.
This repository was archived by the owner on Mar 2, 2026. It is now read-only.
Major: No Rate Limiting on API Routes #12
Description
Priority
🟠 Major - Security & Cost
Locations
- All API routes in
src/app/ - Server actions in
src/api/ - Code execution endpoints
Problem Description
The application has no rate limiting on any API endpoints, including code execution which has direct E2B API costs.
Attack Scenarios
Scenario 1: E2B Cost Attack
Attacker runs continuous code execution, exhausting E2B quota in minutes, potentially thousands of dollars in costs.
Scenario 2: Database Load
Spam progress updates causes database overload, slow queries, potential downtime.
Scenario 3: Auth Brute Force
Try password combinations without rate limiting.
Expected Behavior
1. Code Execution - Strict Rate Limit
Max 10 executions per minute per user, max 50 executions per hour per user.
2. Authentication - Tiered Rate Limit
Sign in: 5 attempts per 5 minutes per IP
3. General API - Standard Rate Limit
100 requests per minute per user
Related Issues
- Major: Debug Console.log Left in Production Code #8 - Playground exposed (adds urgency)
- Major: No Tests for Critical Compiler Functions #11 - Missing security headers
Steps to Fix
Phase 1: Immediate (Critical)
- Add rate limiting to code execution endpoints
- Use Upstash Redis or similar (has free tier)
- Set strict limits: 10/minute per user
Phase 2: Authentication
- Add rate limiting to auth endpoints
- Implement progressive delays
- Add IP-based blocking for repeated failures
Phase 3: General API
- Add general rate limiting middleware
- Different limits for authenticated vs anonymous
- Add rate limit headers to responses
Additional Context
This is critical given the E2B integration. Each code execution has a direct cost. Without rate limiting, a single malicious user could cause significant financial damage.