Skip to content

Security/secure project tutor-user can drained groq quota#3178

Open
Honey-pg wants to merge 11 commits into
Priyanshu-byte-coder:mainfrom
Honey-pg:security/secure-project-tutor
Open

Security/secure project tutor-user can drained groq quota#3178
Honey-pg wants to merge 11 commits into
Priyanshu-byte-coder:mainfrom
Honey-pg:security/secure-project-tutor

Conversation

@Honey-pg

@Honey-pg Honey-pg commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

Summary

Secures the /api/project-tutor route by enforcing session checks, mapping requests to resolved app users, applying input limits (capping URL and question lengths to prevent abuse), establishing a rate limit of 10 requests per hour, and caching analysis and questions results for 6 hours.

Closes #3162


Type of Change

  • 🐛 Bug fix (non-breaking change that fixes an issue)
  • ✨ New feature (non-breaking change that adds functionality)
  • 💥 Breaking change (fix or feature that changes existing behavior)
  • 📝 Documentation update
  • ♻️ Refactor / code cleanup (no functional change)
  • ⚡ Performance improvement
  • 🔒 Security fix
  • 🧪 Tests only

What Changed

  • src/app/api/project-tutor/route.ts: Added getServerSession validation (session.githubId), resolved user UUIDs via resolveAppUser, capped repoUrl (200 characters) and question (500 characters) parameter lengths, added Upstash Redis and memory rate-limiting checks (10 req/hour), and implemented a 6-hour cache for analyze and questions actions.
  • public/openapi.yaml: Fully documented the /api/project-tutor route endpoint schemas and status responses (200, 400, 401, 429, 500).

How to Test

  1. Submit a POST request to /api/project-tutor without credentials. Verify it returns 401 Unauthorized.
  2. Submit a request with a repoUrl exceeding 200 characters or a chat question exceeding 500 characters. Verify it fails validation and returns 400 Bad Request.
  3. Send a valid analyze or questions request. Verify the response contains the tutor analysis or questions list.
  4. Send the identical query again. Verify it returns the response immediately from the cache (returns cached: true internally and bypasses Groq API calls).
  5. Exceed 10 requests within an hour. Verify the route returns 429 Rate Limit Exceeded along with a Retry-After header.

Expected result: The route is fully hardened against unauthenticated spam, excessive parameter inputs, and repetitive Groq compilation calls.


Checklist

  • Linked the related issue above
  • Self-reviewed my own diff
  • No unnecessary console.log, debug code, or commented-out blocks
  • npm run lint passes locally
  • No TypeScript errors (npm run type-check)
  • Added or updated tests where applicable
  • Updated documentation / comments if behavior changed

Additional Context

  • The cache keys are structured as project-tutor-cache:${owner.toLowerCase()}:${repo.toLowerCase()}:${action} to keep matching independent of how the user cases the repository name.

Honey-pg and others added 10 commits June 28, 2026 10:31
Align Docker with CI using Node 22 and pinned pnpm 11.9, copy pnpm-workspace.yaml
for non-interactive build scripts, add native build tools, and improve auth logging
for self-hosted deployments.
pnpm requires an exact semver in packageManager (pnpm@11.9.0, not pnpm@11).
Also align @swc/core-linux-x64-gnu specifier with pnpm-lock.yaml for frozen-lockfile CI installs.
Remove explicit version: 11 from workflows to avoid conflict with
packageManager pnpm@11.9.0 in package.json (ERR_PNPM_BAD_PM_VERSION).
Upstream main workflows pin pnpm via action-setup version: 11. Fork PRs run
those workflows, not the PR branch workflow files, so packageManager in
package.json conflicts until merge. Docker still pins pnpm@11.9.0 via Corepack.
Use version: 11.9.0 in pnpm/action-setup across all workflows. Do not set
packageManager in package.json to avoid duplicate-version errors in CI.
Replace pnpm/action-setup@v6 with corepack prepare pnpm@11.9.0 in all
workflows. Avoids version conflicts between workflow version keys and
packageManager during fork PR CI runs.
@github-actions github-actions Bot added gssoc26 GSSoC 2026 contribution type:devops GSSoC type bonus: devops (+15 pts) type:docs GSSoC type bonus: documentation (+5 pts) type:security GSSoC type bonus: security (+20 pts) type:bug GSSoC type bonus: bug fix type:feature GSSoC type bonus: new feature type:performance GSSoC type bonus: performance (+15 pts) labels Jul 9, 2026
@github-actions

github-actions Bot commented Jul 9, 2026

Copy link
Copy Markdown

GSSoC Label Checklist 🏷️

@Priyanshu-byte-coder — please apply the appropriate labels before merging:

Difficulty (pick one):

  • level:beginner — 20 pts
  • level:intermediate — 35 pts
  • level:advanced — 55 pts
  • level:critical — 80 pts

Quality (optional):

  • quality:clean — ×1.2 multiplier
  • quality:exceptional — ×1.5 multiplier

Validation (required to score):

  • gssoc:approved — counts for points
  • gssoc:invalid / gssoc:spam / gssoc:ai-slop — does not score

Type labels (type:*) are auto-detected from files and title. Review and adjust if needed.
Points formula: (difficulty × quality_multiplier) + type_bonus

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

gssoc26 GSSoC 2026 contribution type:bug GSSoC type bonus: bug fix type:devops GSSoC type bonus: devops (+15 pts) type:docs GSSoC type bonus: documentation (+5 pts) type:feature GSSoC type bonus: new feature type:performance GSSoC type bonus: performance (+15 pts) type:security GSSoC type bonus: security (+20 pts)

Projects

None yet

Development

Successfully merging this pull request may close these issues.

[Security] /api/project-tutor has no rate limit — one signed-in user can drain groq quota

1 participant