Conversation
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
WalkthroughAdds AUTH_EMAIL_RATE_LIMIT to 📜 Recent review detailsConfiguration used: CodeRabbit UI Review profile: CHILL Plan: Pro 📒 Files selected for processing (1)
🚧 Files skipped from review as they are similar to previous changes (1)
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)
Pre-merge checks (2 passed, 1 warning)❌ Failed checks (1 warning)
✅ Passed checks (2 passed)
✨ Finishing Touches
🧪 Generate unit tests
Comment |
Deploying usesend with
|
| Latest commit: |
98dce11
|
| Status: | ✅ Deploy successful! |
| Preview URL: | https://a7f0d9f7.usesend.pages.dev |
| Branch Preview URL: | https://codex-implement-rate-limit-o.usesend.pages.dev |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 3
🧹 Nitpick comments (4)
.env.selfhost.example (1)
37-37: Alphabetize keys to satisfy dotenv-linter (and keep examples consistent).Place AUTH_EMAIL_RATE_LIMIT before DOCKER_OUTPUT (and next to API_RATE_LIMIT).
Apply:
-DOCKER_OUTPUT=1 -API_RATE_LIMIT=1 -AUTH_EMAIL_RATE_LIMIT=5 +API_RATE_LIMIT=1 +AUTH_EMAIL_RATE_LIMIT=5 +DOCKER_OUTPUT=1apps/web/src/app/api/auth/[...nextauth]/route.ts (3)
21-26: Atomic TTL set (optional): use EXPIRE NX in a pipeline.Your pattern is fine; using EXPIRE with NX ensures TTL is attached only on first creation without relying on count === 1.
- const count = await redis.incr(key); - if (count === 1) await redis.expire(key, ttl); + const [[, count]] = await redis + .multi() + .incr(key) + // Redis >=7 supports EXPIRE key seconds NX + .expire(key, ttl, "NX") + .exec();
27-29: Include rate-limit headers and a Retry-After hint.Improves client/backoff behavior and observability.
- return new Response("Too many requests", { status: 429 }); + const retryAfter = "60"; + return new Response( + JSON.stringify({ error: "Too many requests" }), + { + status: 429, + headers: { + "Content-Type": "application/json", + "Retry-After": retryAfter, + "X-RateLimit-Limit": String(env.AUTH_EMAIL_RATE_LIMIT), + "X-RateLimit-Remaining": "0", + "X-RateLimit-Reset": retryAfter, + }, + }, + );
30-32: Log with consistent shape and include IP for failures.Add ip to error context for parity with the warn path.
- logger.error({ err: error }, "Auth email rate limit failed"); + logger.error({ err: error, ip: (req.headers.get("x-forwarded-for") ?? req.headers.get("x-real-ip") ?? "").split(",")[0]?.trim() }, "Auth email rate limit failed");
📜 Review details
Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro
📒 Files selected for processing (4)
.env.example(1 hunks).env.selfhost.example(1 hunks)apps/web/src/app/api/auth/[...nextauth]/route.ts(1 hunks)apps/web/src/env.js(2 hunks)
🧰 Additional context used
📓 Path-based instructions (5)
.env*
📄 CodeRabbit inference engine (AGENTS.md)
Environment configuration files must live at the repository root and be named .env*
Files:
.env.selfhost.example.env.example
**/*.{js,jsx,ts,tsx}
📄 CodeRabbit inference engine (.cursor/rules/general.mdc)
Include all required imports, and ensure proper naming of key components.
Files:
apps/web/src/env.jsapps/web/src/app/api/auth/[...nextauth]/route.ts
**/*.{ts,tsx}
📄 CodeRabbit inference engine (AGENTS.md)
**/*.{ts,tsx}: Use 2-space indentation in TypeScript code (enforced by Prettier)
Use semicolons in TypeScript code (enforced by Prettier)
Do not use dynamic imports
Files:
apps/web/src/app/api/auth/[...nextauth]/route.ts
**/*.{ts,tsx,md}
📄 CodeRabbit inference engine (AGENTS.md)
Format code with Prettier 3 via pnpm format for TypeScript and Markdown files
Files:
apps/web/src/app/api/auth/[...nextauth]/route.ts
apps/web/**/*.{ts,tsx}
📄 CodeRabbit inference engine (AGENTS.md)
In apps/web, use the
/ alias for src imports (e.g., import { x } from "/utils/x")
Files:
apps/web/src/app/api/auth/[...nextauth]/route.ts
🧬 Code graph analysis (1)
apps/web/src/app/api/auth/[...nextauth]/route.ts (3)
apps/web/src/env.js (2)
env(5-130)env(5-130)apps/web/src/server/redis.ts (1)
getRedis(6-13)apps/web/src/server/logger/log.ts (1)
logger(31-63)
🪛 dotenv-linter (3.3.0)
.env.selfhost.example
[warning] 37-37: [UnorderedKey] The AUTH_EMAIL_RATE_LIMIT key should go before the DOCKER_OUTPUT key
(UnorderedKey)
🔇 Additional comments (3)
.env.example (1)
23-23: LGTM: new variable documented.AUTH_EMAIL_RATE_LIMIT is added and grouped with API_RATE_LIMIT; matches env.js schema.
apps/web/src/env.js (1)
102-102: Runtime mapping present.AUTH_EMAIL_RATE_LIMIT is wired into runtimeEnv correctly.
apps/web/src/app/api/auth/[...nextauth]/route.ts (1)
35-36: LGTM: delegate to NextAuth when not rate-limited.Flow is preserved for all other requests.
| import NextAuth from "next-auth"; | ||
|
|
||
| import { authOptions } from "~/server/auth"; | ||
| import { env } from "~/env"; | ||
| import { getRedis } from "~/server/redis"; | ||
| import { logger } from "~/server/logger/log"; |
There was a problem hiding this comment.
🛠️ Refactor suggestion
Force Node.js runtime to avoid Edge/ioredis incompatibility.
This route uses ioredis via getRedis(); ensure it never runs on the Edge runtime.
import NextAuth from "next-auth";
import { authOptions } from "~/server/auth";
import { env } from "~/env";
import { getRedis } from "~/server/redis";
import { logger } from "~/server/logger/log";
+
+// ioredis requires Node.js runtime
+export const runtime = "nodejs";📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| import NextAuth from "next-auth"; | |
| import { authOptions } from "~/server/auth"; | |
| import { env } from "~/env"; | |
| import { getRedis } from "~/server/redis"; | |
| import { logger } from "~/server/logger/log"; | |
| import NextAuth from "next-auth"; | |
| import { authOptions } from "~/server/auth"; | |
| import { env } from "~/env"; | |
| import { getRedis } from "~/server/redis"; | |
| import { logger } from "~/server/logger/log"; | |
| // ioredis requires Node.js runtime | |
| export const runtime = "nodejs"; |
🤖 Prompt for AI Agents
In apps/web/src/app/api/auth/[...nextauth]/route.ts around lines 1-6, this
Next.js route uses ioredis via getRedis and must not run on the Edge runtime;
add an exported runtime declaration at the top of the file that sets the runtime
to Node (e.g., export a constant named runtime with value 'node') so the route
always runs on the Node.js runtime, then verify imports remain unchanged and
redeploy.
| AUTH_EMAIL_RATE_LIMIT: z | ||
| .string() | ||
| .default("0") | ||
| .transform((str) => parseInt(str, 10)), |
There was a problem hiding this comment.
🛠️ Refactor suggestion
Harden numeric validation for AUTH_EMAIL_RATE_LIMIT (avoid NaN, catch bad input).
Current z.string().transform(parseInt) allows non-numeric strings to become NaN, silently disabling rate limiting. Coerce to a non-negative int.
- AUTH_EMAIL_RATE_LIMIT: z
- .string()
- .default("0")
- .transform((str) => parseInt(str, 10)),
+ AUTH_EMAIL_RATE_LIMIT: z.coerce.number().int().nonnegative().default(0),📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| AUTH_EMAIL_RATE_LIMIT: z | |
| .string() | |
| .default("0") | |
| .transform((str) => parseInt(str, 10)), | |
| AUTH_EMAIL_RATE_LIMIT: z.coerce.number().int().nonnegative().default(0), |
🤖 Prompt for AI Agents
In apps/web/src/env.js around lines 47 to 50, the current AUTH_EMAIL_RATE_LIMIT
uses z.string().transform(parseInt) which can produce NaN for bad input; change
it to parse and validate as a non-negative integer: preprocess the raw string
into a Number (e.g., with Number(str) or parseInt but guard against NaN), then
validate with z.number().int().nonnegative().default(0) (or add a refine to
reject NaN) so invalid values fail validation or fall back to 0 instead of
becoming NaN.
There was a problem hiding this comment.
Actionable comments posted: 2
♻️ Duplicate comments (1)
apps/web/src/app/api/auth/[...nextauth]/route.ts (1)
1-6: Force Node runtime to avoid ioredis/Edge crash.This route uses ioredis; without forcing Node.js runtime it can deploy to Edge and fail at runtime.
import NextAuth from "next-auth"; import { authOptions } from "~/server/auth"; import { env } from "~/env"; import { getRedis } from "~/server/redis"; import { logger } from "~/server/logger/log"; + +// ioredis requires Node.js runtime +export const runtime = "nodejs";Run to confirm the runtime export exists:
#!/bin/bash rg -nP 'export\\s+const\\s+runtime\\s*=\\s*"nodejs"' apps/web/src/app/api/auth/\.\.\.nextauth/route\.ts
🧹 Nitpick comments (2)
apps/web/src/app/api/auth/[...nextauth]/route.ts (2)
57-59: Handle trailing slash on pathname.Support both /signin/email and /signin/email/.
- const url = new URL(req.url); - if (url.pathname.endsWith("/signin/email")) { + const url = new URL(req.url); + const pathname = url.pathname.replace(/\/+$/, ""); + if (pathname.endsWith("/signin/email")) {
72-80: Include Retry-After and no-store headers on 429.Improves client/backoff behavior and caching semantics.
- return Response.json( + return Response.json( { error: { code: "RATE_LIMITED", message: "Too many requests", }, }, - { status: 429 } + { + status: 429, + headers: { + "Retry-After": String(ttl), + "Cache-Control": "no-store", + }, + } );
📜 Review details
Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro
📒 Files selected for processing (1)
apps/web/src/app/api/auth/[...nextauth]/route.ts(1 hunks)
🧰 Additional context used
📓 Path-based instructions (4)
**/*.{js,jsx,ts,tsx}
📄 CodeRabbit inference engine (.cursor/rules/general.mdc)
Include all required imports, and ensure proper naming of key components.
Files:
apps/web/src/app/api/auth/[...nextauth]/route.ts
**/*.{ts,tsx}
📄 CodeRabbit inference engine (AGENTS.md)
**/*.{ts,tsx}: Use 2-space indentation in TypeScript code (enforced by Prettier)
Use semicolons in TypeScript code (enforced by Prettier)
Do not use dynamic imports
Files:
apps/web/src/app/api/auth/[...nextauth]/route.ts
**/*.{ts,tsx,md}
📄 CodeRabbit inference engine (AGENTS.md)
Format code with Prettier 3 via pnpm format for TypeScript and Markdown files
Files:
apps/web/src/app/api/auth/[...nextauth]/route.ts
apps/web/**/*.{ts,tsx}
📄 CodeRabbit inference engine (AGENTS.md)
In apps/web, use the
/ alias for src imports (e.g., import { x } from "/utils/x")
Files:
apps/web/src/app/api/auth/[...nextauth]/route.ts
🧬 Code graph analysis (1)
apps/web/src/app/api/auth/[...nextauth]/route.ts (3)
apps/web/src/env.js (2)
env(5-130)env(5-130)apps/web/src/server/logger/log.ts (1)
logger(31-63)apps/web/src/server/redis.ts (1)
getRedis(6-13)
🔇 Additional comments (2)
apps/web/src/app/api/auth/[...nextauth]/route.ts (2)
10-10: GET re-export: LGTM.Re-exporting GET to NextAuth handler is correct.
56-86: Overall POST flow: solid.Gated on env flag, scoped to email sign-in, uses atomic INCR+EXPIRE, logs and gracefully degrades on RL errors. Nice.
| function getClientIp(req: Request): string | null { | ||
| const h = req.headers; | ||
| const direct = | ||
| h.get("x-forwarded-for") ?? | ||
| h.get("x-real-ip") ?? | ||
| h.get("cf-connecting-ip") ?? | ||
| h.get("x-client-ip") ?? | ||
| h.get("true-client-ip") ?? | ||
| h.get("fastly-client-ip") ?? | ||
| h.get("x-cluster-client-ip") ?? | ||
| null; | ||
|
|
||
| let ip = direct?.split(",")[0]?.trim() ?? ""; | ||
|
|
||
| if (!ip) { | ||
| const fwd = h.get("forwarded"); | ||
| if (fwd) { | ||
| const first = fwd.split(",")[0]; | ||
| const match = first?.match(/for=([^;]+)/i); | ||
| if (match && match[1]) { | ||
| const raw = match[1].trim().replace(/^"|"$/g, ""); | ||
| if (raw.startsWith("[")) { | ||
| const end = raw.indexOf("]"); | ||
| ip = end !== -1 ? raw.slice(1, end) : raw; | ||
| } else { | ||
| const parts = raw.split(":"); | ||
| if (parts.length > 0 && parts[0]) { | ||
| ip = | ||
| parts.length === 2 && /^\d+(?:\.\d+){3}$/.test(parts[0]) | ||
| ? parts[0] | ||
| : raw; | ||
| } | ||
| } | ||
| } | ||
| } | ||
| } | ||
|
|
||
| return ip || null; | ||
| } |
There was a problem hiding this comment.
🛠️ Refactor suggestion
Harden client IP parsing and validate before use.
Unvalidated header values can include ports/garbage and create unbounded Redis keys. Normalize and validate as IP; skip RL if invalid.
function getClientIp(req: Request): string | null {
const h = req.headers;
@@
- let ip = direct?.split(",")[0]?.trim() ?? "";
+ let ip = direct?.split(",")[0]?.trim() ?? "";
+ // Strip IPv4 port if present in XFF: "1.2.3.4:5678" -> "1.2.3.4"
+ const colon = ip.lastIndexOf(":");
+ if (ip && colon > -1 && ip.includes(".")) ip = ip.slice(0, colon);
@@
- return ip || null;
+ // Validate; treat non-IP as missing
+ // (isIP returns 0 for invalid, 4 for IPv4, 6 for IPv6)
+ return ip && isIP(ip) !== 0 ? ip : null;
}Add import (top of file):
import { isIP } from "node:net";🤖 Prompt for AI Agents
In apps/web/src/app/api/auth/[...nextauth]/route.ts around lines 12 to 50, the
client IP parsing accepts unvalidated header values (including ports/garbage)
which can produce unbounded Redis keys; import isIP from node:net and after
extracting the candidate IP normalize it (strip surrounding quotes, remove IPv6
brackets, remove appended port if present), then validate it with
isIP(candidate) and only return the IP when isIP(...) > 0; otherwise return null
so downstream logic (rate limiting) is skipped for invalid values.
| const key = `auth-rl:${ip}`; | ||
| const ttl = 60; |
There was a problem hiding this comment.
Hash the key to prevent header-driven key explosion and key injection.
Using raw header text as part of the key allows unbounded cardinality and odd bytes. Hashing stabilizes size and characters.
- const key = `auth-rl:${ip}`;
+ const key = `auth-rl:${createHash("sha256").update(ip).digest("hex")}`;Add import (top of file):
import { createHash } from "node:crypto";🤖 Prompt for AI Agents
In apps/web/src/app/api/auth/[...nextauth]/route.ts around lines 66 to 67, the
rate-limit key is built from the raw IP/header which can lead to unbounded
cardinality and strange bytes; replace that with a stable hashed value: add an
import for createHash from node:crypto at the top of the file, compute a
deterministic hex (or base64) hash of the ip/header before composing the key,
and use the hashed value in place of the raw ip when building the `auth-rl:` key
so the key size/charset is fixed and safe.
KMKoushik
deleted the
codex/implement-rate-limit-on-signup/signin-forms
branch
1 participant
Summary
AUTH_EMAIL_RATE_LIMITenv var and document in examplesTesting
pnpm formatpnpm lint(fails: ESLint found too many warnings)npx eslint src/app/api/auth/[...nextauth]/route.tspnpm build(fails: Invalid environment variables)https://chatgpt.com/codex/tasks/task_e_68bfda4f4da4832994ca3aec44f385fc
Summary by CodeRabbit