Security/secure project tutor-user can drained groq quota#3178
Open
Honey-pg wants to merge 11 commits into
Open
Security/secure project tutor-user can drained groq quota#3178Honey-pg wants to merge 11 commits into
Honey-pg wants to merge 11 commits into
Conversation
Align Docker with CI using Node 22 and pinned pnpm 11.9, copy pnpm-workspace.yaml for non-interactive build scripts, add native build tools, and improve auth logging for self-hosted deployments.
pnpm requires an exact semver in packageManager (pnpm@11.9.0, not pnpm@11). Also align @swc/core-linux-x64-gnu specifier with pnpm-lock.yaml for frozen-lockfile CI installs.
Remove explicit version: 11 from workflows to avoid conflict with packageManager pnpm@11.9.0 in package.json (ERR_PNPM_BAD_PM_VERSION).
Upstream main workflows pin pnpm via action-setup version: 11. Fork PRs run those workflows, not the PR branch workflow files, so packageManager in package.json conflicts until merge. Docker still pins pnpm@11.9.0 via Corepack.
Use version: 11.9.0 in pnpm/action-setup across all workflows. Do not set packageManager in package.json to avoid duplicate-version errors in CI.
Replace pnpm/action-setup@v6 with corepack prepare pnpm@11.9.0 in all workflows. Avoids version conflicts between workflow version keys and packageManager during fork PR CI runs.
GSSoC Label Checklist 🏷️@Priyanshu-byte-coder — please apply the appropriate labels before merging: Difficulty (pick one):
Quality (optional):
Validation (required to score):
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Secures the
/api/project-tutorroute by enforcing session checks, mapping requests to resolved app users, applying input limits (capping URL and question lengths to prevent abuse), establishing a rate limit of 10 requests per hour, and caching analysis and questions results for 6 hours.Closes #3162
Type of Change
What Changed
src/app/api/project-tutor/route.ts: AddedgetServerSessionvalidation (session.githubId), resolved user UUIDs viaresolveAppUser, cappedrepoUrl(200 characters) andquestion(500 characters) parameter lengths, added Upstash Redis and memory rate-limiting checks (10 req/hour), and implemented a 6-hour cache foranalyzeandquestionsactions.public/openapi.yaml: Fully documented the/api/project-tutorroute endpoint schemas and status responses (200,400,401,429,500).How to Test
/api/project-tutorwithout credentials. Verify it returns401 Unauthorized.repoUrlexceeding 200 characters or a chatquestionexceeding 500 characters. Verify it fails validation and returns400 Bad Request.analyzeorquestionsrequest. Verify the response contains the tutor analysis or questions list.cached: trueinternally and bypasses Groq API calls).429 Rate Limit Exceededalong with aRetry-Afterheader.Expected result: The route is fully hardened against unauthenticated spam, excessive parameter inputs, and repetitive Groq compilation calls.
Checklist
console.log, debug code, or commented-out blocksnpm run lintpasses locallynpm run type-check)Additional Context
project-tutor-cache:${owner.toLowerCase()}:${repo.toLowerCase()}:${action}to keep matching independent of how the user cases the repository name.