Security/secure roast route#3177
Open
Honey-pg wants to merge 10 commits into
Open
Conversation
Align Docker with CI using Node 22 and pinned pnpm 11.9, copy pnpm-workspace.yaml for non-interactive build scripts, add native build tools, and improve auth logging for self-hosted deployments.
pnpm requires an exact semver in packageManager (pnpm@11.9.0, not pnpm@11). Also align @swc/core-linux-x64-gnu specifier with pnpm-lock.yaml for frozen-lockfile CI installs.
Remove explicit version: 11 from workflows to avoid conflict with packageManager pnpm@11.9.0 in package.json (ERR_PNPM_BAD_PM_VERSION).
Upstream main workflows pin pnpm via action-setup version: 11. Fork PRs run those workflows, not the PR branch workflow files, so packageManager in package.json conflicts until merge. Docker still pins pnpm@11.9.0 via Corepack.
Use version: 11.9.0 in pnpm/action-setup across all workflows. Do not set packageManager in package.json to avoid duplicate-version errors in CI.
Replace pnpm/action-setup@v6 with corepack prepare pnpm@11.9.0 in all workflows. Avoids version conflicts between workflow version keys and packageManager during fork PR CI runs.
GSSoC Label Checklist 🏷️@Priyanshu-byte-coder — please apply the appropriate labels before merging: Difficulty (pick one):
Quality (optional):
Validation (required to score):
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Secures the
/api/ai/roastroute by enforcing session checks, mapping requests to resolved app users, applying a rate limit of 5 requests per hour, and caching identical stats-based roasts/hype responses for 5 minutes.Closes #3160
Type of Change
What Changed
src/app/api/ai/roast/route.ts: AddedgetServerSessionchecks, mapped requests to users viaresolveAppUser, implemented Upstash Redis rate limiting with a memory limiter fallback (5 req/hour), and implemented a 5-minute cache keyed by user ID, mode, and stats hash.public/openapi.yaml: Documented the new429(Rate limit exceeded) response.How to Test
/api/ai/roast. Verify it returns401 Unauthorized.cached: trueinternally and bypasses Gemini API generation).429 Rate limit exceededwith aRetry-Afterheader.Expected result: The route is fully protected against anonymous spam and duplicate calls.
Checklist
console.log, debug code, or commented-out blocksnpm run lintpasses locallynpm run type-check)Additional Context