Skip to content

Security/secure roast route#3177

Open
Honey-pg wants to merge 10 commits into
Priyanshu-byte-coder:mainfrom
Honey-pg:security/secure-roast-route
Open

Security/secure roast route#3177
Honey-pg wants to merge 10 commits into
Priyanshu-byte-coder:mainfrom
Honey-pg:security/secure-roast-route

Conversation

@Honey-pg

@Honey-pg Honey-pg commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

Summary

Secures the /api/ai/roast route by enforcing session checks, mapping requests to resolved app users, applying a rate limit of 5 requests per hour, and caching identical stats-based roasts/hype responses for 5 minutes.

Closes #3160


Type of Change

  • 🐛 Bug fix (non-breaking change that fixes an issue)
  • ✨ New feature (non-breaking change that adds functionality)
  • 💥 Breaking change (fix or feature that changes existing behavior)
  • 📝 Documentation update
  • ♻️ Refactor / code cleanup (no functional change)
  • ⚡ Performance improvement
  • 🔒 Security fix
  • 🧪 Tests only

What Changed

  • src/app/api/ai/roast/route.ts: Added getServerSession checks, mapped requests to users via resolveAppUser, implemented Upstash Redis rate limiting with a memory limiter fallback (5 req/hour), and implemented a 5-minute cache keyed by user ID, mode, and stats hash.
  • public/openapi.yaml: Documented the new 429 (Rate limit exceeded) response.

How to Test

  1. Send an unauthenticated request to /api/ai/roast. Verify it returns 401 Unauthorized.
  2. Authenticate and send a valid POST request with stats. Verify the roast/hype response is generated.
  3. Submit the identical request again. Verify it returns the cached response (returns cached: true internally and bypasses Gemini API generation).
  4. Send more than 5 requests within an hour. Verify the route returns 429 Rate limit exceeded with a Retry-After header.

Expected result: The route is fully protected against anonymous spam and duplicate calls.


Checklist

  • Linked the related issue above
  • Self-reviewed my own diff
  • No unnecessary console.log, debug code, or commented-out blocks
  • npm run lint passes locally
  • No TypeScript errors (npm run type-check)
  • Added or updated tests where applicable
  • Updated documentation / comments if behavior changed

Additional Context

  • The cache implementation sorts the languages list before generating the hash to guarantee that identical stats payloads in different ordering produce the same cache key.

Honey-pg and others added 9 commits June 28, 2026 10:31
Align Docker with CI using Node 22 and pinned pnpm 11.9, copy pnpm-workspace.yaml
for non-interactive build scripts, add native build tools, and improve auth logging
for self-hosted deployments.
pnpm requires an exact semver in packageManager (pnpm@11.9.0, not pnpm@11).
Also align @swc/core-linux-x64-gnu specifier with pnpm-lock.yaml for frozen-lockfile CI installs.
Remove explicit version: 11 from workflows to avoid conflict with
packageManager pnpm@11.9.0 in package.json (ERR_PNPM_BAD_PM_VERSION).
Upstream main workflows pin pnpm via action-setup version: 11. Fork PRs run
those workflows, not the PR branch workflow files, so packageManager in
package.json conflicts until merge. Docker still pins pnpm@11.9.0 via Corepack.
Use version: 11.9.0 in pnpm/action-setup across all workflows. Do not set
packageManager in package.json to avoid duplicate-version errors in CI.
Replace pnpm/action-setup@v6 with corepack prepare pnpm@11.9.0 in all
workflows. Avoids version conflicts between workflow version keys and
packageManager during fork PR CI runs.
@github-actions github-actions Bot added type:bug GSSoC type bonus: bug fix type:feature GSSoC type bonus: new feature type:docs GSSoC type bonus: documentation (+5 pts) type:performance GSSoC type bonus: performance (+15 pts) type:devops GSSoC type bonus: devops (+15 pts) gssoc26 GSSoC 2026 contribution type:security GSSoC type bonus: security (+20 pts) labels Jul 9, 2026
@github-actions

github-actions Bot commented Jul 9, 2026

Copy link
Copy Markdown

GSSoC Label Checklist 🏷️

@Priyanshu-byte-coder — please apply the appropriate labels before merging:

Difficulty (pick one):

  • level:beginner — 20 pts
  • level:intermediate — 35 pts
  • level:advanced — 55 pts
  • level:critical — 80 pts

Quality (optional):

  • quality:clean — ×1.2 multiplier
  • quality:exceptional — ×1.5 multiplier

Validation (required to score):

  • gssoc:approved — counts for points
  • gssoc:invalid / gssoc:spam / gssoc:ai-slop — does not score

Type labels (type:*) are auto-detected from files and title. Review and adjust if needed.
Points formula: (difficulty × quality_multiplier) + type_bonus

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

gssoc26 GSSoC 2026 contribution type:bug GSSoC type bonus: bug fix type:devops GSSoC type bonus: devops (+15 pts) type:docs GSSoC type bonus: documentation (+5 pts) type:feature GSSoC type bonus: new feature type:performance GSSoC type bonus: performance (+15 pts) type:security GSSoC type bonus: security (+20 pts)

Projects

None yet

Development

Successfully merging this pull request may close these issues.

[Security] /api/ai/roast has no auth or rate limit — anyone can burn gemini credits

1 participant