Skip to content

fix(og): add per-IP rate limiting to /api/og #5754

Merged
JhaSourav07 merged 1 commit into
JhaSourav07:mainfrom
taniy8:fix/og-route-missing-rate-limit
Jun 15, 2026
Merged

fix(og): add per-IP rate limiting to /api/og #5754
JhaSourav07 merged 1 commit into
JhaSourav07:mainfrom
taniy8:fix/og-route-missing-rate-limit

Conversation

@taniy8

@taniy8 taniy8 commented Jun 15, 2026

Copy link
Copy Markdown
Contributor

Description

Fixes #5753

Problem

app/api/og/route.tsx had zero rate limiting, making it the only unprotected
API route in the codebase. This endpoint is embedded in every page's <meta og:image>
tag, meaning every social media bot (Twitter, Discord, Slack, LinkedIn) that crawls
a shared CommitPulse link fires a fresh fetchGitHubContributions call against the
GitHub API with no throttle.

A single viral post or coordinated scrape could exhaust the entire GitHub API quota,
taking down /api/streak and /api/stats for all users globally since they share
the same token pool.

Fix

Added per-IP rate limiting (30 requests/minute) at the top of the GET handler,
consistent with the pattern used in /api/notify, /api/reviews, /api/ci-analytics,
and /api/webhook.

Added a test verifying 429 is returned when the limit is exceeded.

Pillar

  • 🎨 Pillar 1 — New Theme Design
  • 📐 Pillar 2 — Geometric SVG Improvement
  • 🕐 Pillar 3 — Timezone Logic Optimization
  • 🛠️ Other (Bug fix, refactoring, docs)

Visual Preview

N/A

Checklist before requesting a review:

  • I have read the CONTRIBUTING.md file.
  • I have tested these changes locally (localhost:3000/api/streak?user=YOUR_USERNAME).
  • I have run npm run format and npm run lint locally and resolved all errors (CI will fail otherwise).
  • My commits follow the Conventional Commits format (e.g., feat(themes): ..., fix(calculate): ...).
  • I have updated README.md if I added a new theme or URL parameter.
  • I have started the repo.
  • I have made sure that i have only one commit to merge in this PR.
  • The SVG output matches the CommitPulse "premium quality" aesthetic standard (no raw elements, smooth animations, correct fonts).
  • (Recommended) I joined the CommitPulse Discord community for contributor discussions, mentorship, and faster PR support.

Suggested labels: level:critical, bug, security

@vercel

vercel Bot commented Jun 15, 2026

Copy link
Copy Markdown
Contributor

@taniy8 is attempting to deploy a commit to the jhasourav07's projects Team on Vercel.

A member of the Team first needs to authorize it.

@github-actions

github-actions Bot commented Jun 15, 2026

Copy link
Copy Markdown
Contributor

📦 Next.js Bundle Size Report (Gzipped Sizes)

✨ No significant bundle size changes detected.

📊 Summary of Totals

Category PR Size Base Size Difference
Total JS 3433.75 KB 3433.75 KB 0 B
Total CSS 258.05 KB 258.05 KB 0 B

@Aamod007 Aamod007 added mentor:Aamod007 gssoc:approved PR has been reviewed and accepted for valid contribution points level:intermediate Moderate complexity tasks quality:clean PR follows clean coding practices, proper formatting, documentation, and maintainability standards. type:bug Something isn't working as expected type:security Security fixes, dependency updates, or hardening labels Jun 15, 2026
Aamod007
Aamod007 approved these changes Jun 15, 2026
View reviewed changes

@Aamod007 Aamod007 left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice hardening pass. In �pp/api/og/route.tsx, the new getClientIp(req) keying plus RateLimiter guard closes the unthrottled path before it can fan out GitHub API usage, and the new test in �pp/api/og/route.test.ts proves the 429 branch is wired correctly.

@github-actions github-actions Bot added this to the GSSoC 2026 milestone Jun 15, 2026
@JhaSourav07 JhaSourav07 merged commit bd50ee9 into JhaSourav07:main Jun 15, 2026
11 of 12 checks passed
@github-actions

github-actions Bot commented Jun 15, 2026

Copy link
Copy Markdown
Contributor

🎉 Congratulations @taniy8! Your PR has been successfully merged. 🚀

Thank you for contributing to CommitPulse. Your work helps us build a better tool for the community.

⚠️ Important for GSSoC Contributors:
You are strictly advised to join our Discord Server as it is mandatory for all GSSoC participants. All important announcements, point claims, and community discussions happen there.

Keep building! 💻✨

@Aamod007 Aamod007 added level:critical High-priority or mission-critical contributions affecting core systems, security, or infrastructure quality:exceptional Outstanding contribution with exceptional implementation quality, testing. and removed level:intermediate Moderate complexity tasks quality:clean PR follows clean coding practices, proper formatting, documentation, and maintainability standards. labels Jun 16, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Aamod007 Aamod007 Aamod007 approved these changes

Assignees

No one assigned

Labels

gssoc:approved PR has been reviewed and accepted for valid contribution points level:critical High-priority or mission-critical contributions affecting core systems, security, or infrastructure mentor:Aamod007 quality:exceptional Outstanding contribution with exceptional implementation quality, testing. type:bug Something isn't working as expected type:security Security fixes, dependency updates, or hardening

Projects

None yet

Milestone

GSSoC 2026

Development

Successfully merging this pull request may close these issues.

bug: /api/og has no rate limiting

3 participants

@taniy8 @Aamod007 @JhaSourav07