Feature: Implement Sign-Up Rate Limiting #134

ben-fornefeld · 2025-09-01T10:39:05Z

This pr adds an ip based sign-up counter using Redis. all crucial values are configurable via environment variables.

The configuration for production is currently set to:

  SIGN_UP_LIMIT_PER_WINDOW=1
  SIGN_UP_WINDOW_HOURS=24

If the user has too many sign-up's, he might see rate limit alert like this:

Note

Introduces IP-based sign-up rate limiting using Vercel KV with configurable env vars and integrates checks into signUpAction.

Auth/Backend:
- Add IP-based sign-up rate limiting in src/server/auth/auth-actions.ts using ipAddress and new helpers incrementAndCheckSignUpRateLimit/decrementSignUpRateLimit.
- New module src/server/auth/ratelimit.ts implements atomic Redis Lua scripts for increment/decrement and TTL handling.
- Extend error handling (email_address_invalid) and warn when no IP in production.
Config/Env:
- New flag ENABLE_SIGN_UP_RATE_LIMITING in src/configs/flags.ts; add KV-backed KV_KEYS.RATE_LIMIT_SIGN_UP and defaults in src/configs/limits.ts.
- Expand src/lib/env.ts schemas: add numeric-boolean support and new server vars ENABLE_SIGN_UP_RATE_LIMITING, SIGN_UP_LIMIT_PER_WINDOW, SIGN_UP_WINDOW_HOURS; tighten client NEXT_PUBLIC_* booleans.
- .env.example: document optional Auth rate limiting envs.
Dependencies/Build:
- Add @vercel/functions dependency.
- tsconfig.json: set jsx to preserve.

^{Written by Cursor Bugbot for commit 0f99957. This will update automatically on new commits. Configure here.}

linear · 2025-09-01T10:39:08Z

E2B-2967 Feat: sign-up request limiting per ip address

vercel · 2025-09-01T10:39:11Z

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Preview	Comments	Updated (UTC)
web	Ready	Preview	Comment	Oct 7, 2025 1:18pm
web-juliett	Ready	Preview	Comment	Oct 7, 2025 1:18pm

src/app/api/auth/confirm/route.ts

src/server/auth/auth-actions.ts

src/server/auth/rate-limiting.ts

mishushakov · 2025-09-01T11:27:46Z

Did you test it on staging?

- Introduced `@upstash/ratelimit` dependency for improved rate limiting functionality. - Replaced manual increment logic with Upstash's rate limiting utility in the sign-up process. - Updated sign-up rate limiting checks to enhance logging and error handling. - Refactored related functions to streamline the rate limiting implementation.

…up process - Renamed `TruethyOrFalsy` to `NumericBoolean` for clarity in environment schema. - Added new fields for sign-up attempts limit and window in the environment schema. - Updated rate limiting functions to improve clarity and logging for sign-up attempts. - Refactored related code to enhance consistency in rate limiting checks.

…n for sign-up process - Renamed `SIGN_UP_ATTEMPTS_LIMIT` to `SIGN_UP_ATTEMPTS_LIMIT_PER_WINDOW` for clarity. - Added new environment variables for sign-up rate limiting configuration. - Updated documentation and related code to reflect the changes in rate limiting logic.

- Added checks to ensure a valid IP address is retrieved in both the auth confirmation route and sign-up action. - Returns an error response if the IP address is invalid, improving error handling and user feedback.

…lidation - Introduced a custom string type for validating positive numbers in the environment schema. - Updated rate limiting configuration to ensure that limits and windows are positive numbers. - Improved documentation to reflect the new validation requirements for rate limiting parameters.

- Refactored IP address extraction in the auth confirmation route and sign-up action to use a dedicated utility function. - Enhanced logging to capture errors when IP headers are missing in production environments. - Updated documentation to clarify the handling of IP addresses in the rate limiting system, including support for development environments.

All comments were addressed

Let's do it again

…d simplifying logic

ben-fornefeld · 2025-10-07T13:16:57Z

bugbot run

cursor · 2025-10-07T13:19:07Z

src/configs/flags.ts

+export const ENABLE_SIGN_UP_RATE_LIMITING =
+  process.env.ENABLE_SIGN_UP_RATE_LIMITING === '1' &&
+  process.env.KV_REST_API_URL &&
+  process.env.KV_REST_API_TOKEN


Bug: Rate Limiting Flag Evaluates Incorrectly

The ENABLE_SIGN_UP_RATE_LIMITING flag's logic is flawed. It evaluates to a non-boolean string (e.g., KV_REST_API_TOKEN's value or an empty string) when enabled, which may cause unexpected conditional behavior. It also treats empty strings for KV_REST_API_URL and KV_REST_API_TOKEN as valid, potentially leading to silent rate limiting failures.

ben-fornefeld added 2 commits September 1, 2025 12:33

Feature: Implement Sign-Up Rate Limiting

e788636

patch: Update Sign-Up Rate Limiting Flag Logic

97d71d1

ben-fornefeld self-assigned this Sep 1, 2025

ben-fornefeld added enhancement New feature or request feature labels Sep 1, 2025

vercel bot deployed to Preview – web September 1, 2025 10:41 View deployment

remove: manual reset since ttl resets

2aeb968

vercel bot deployed to Preview – web September 1, 2025 10:49 View deployment

mishushakov previously requested changes Sep 1, 2025

View reviewed changes

src/app/api/auth/confirm/route.ts Outdated Show resolved Hide resolved

src/server/auth/auth-actions.ts Outdated Show resolved Hide resolved

src/server/auth/rate-limiting.ts Outdated Show resolved Hide resolved

ben-fornefeld marked this pull request as draft September 8, 2025 08:51

vercel bot deployed to Preview – web September 9, 2025 08:54 View deployment

refactor: Reorganize OTP verification logic in auth confirmation route

1c8e1ed

vercel bot deployed to Preview – web September 9, 2025 10:38 View deployment

vercel bot deployed to Preview – web September 9, 2025 11:02 View deployment

ben-fornefeld marked this pull request as ready for review September 9, 2025 11:53

vercel bot deployed to Preview – web September 9, 2025 11:54 View deployment