Skip to content

feat: API validation & server-side rate limiting#654

Merged
Emmzyemms merged 2 commits into
ANYTECHS:mainfrom
fridaypetra55-afk:feat/api-validation-rate-limiting
Jun 29, 2026
Merged

feat: API validation & server-side rate limiting#654
Emmzyemms merged 2 commits into
ANYTECHS:mainfrom
fridaypetra55-afk:feat/api-validation-rate-limiting

Conversation

@fridaypetra55-afk

Copy link
Copy Markdown
Contributor

Closes #499

Summary

This PR strengthens the API by adding request validation and server-side rate limiting. It enforces upload limits, validates job IDs before processing requests, implements an in-memory token bucket rate limiter, exposes rate limit headers, and adds comprehensive integration tests covering all acceptance criteria.

Changes

  • Limited /api/upload to a maximum of MAX_FILES_PER_REQUEST (10) files per request.

  • Return HTTP 400 Bad Request when the upload limit is exceeded.

  • Added validation for /api/jobs/[id] to accept only valid alphanumeric or UUID identifiers with a maximum length of 64 characters.

  • Return HTTP 400 Bad Request for invalid job IDs.

  • Implemented a server-side in-memory token bucket rate limiter via applyRateLimit.

  • Added rate limit response headers:

    • X-RateLimit-Limit
    • X-RateLimit-Remaining
    • Retry-After (on HTTP 429 responses)
  • Improved API resilience against malformed requests and excessive traffic.

Testing

Added 16 integration tests covering:

  • Upload requests within the configured file limit.
  • Upload requests exceeding MAX_FILES_PER_REQUEST.
  • Valid job ID formats (alphanumeric and UUID).
  • Invalid and oversized job IDs returning HTTP 400.
  • Rate limiter behavior under normal request volume.
  • HTTP 429 responses when the rate limit is exceeded.
  • Presence and correctness of X-RateLimit-Limit, X-RateLimit-Remaining, and Retry-After response headers.

Checklist

  • Branch is based on the latest main
  • Commit messages follow Conventional Commits
  • Tests were run locally
  • Documentation updated if needed
  • CHANGELOG updated or release notes covered

- Cap /api/upload at MAX_FILES_PER_REQUEST=10; return 400 if exceeded
- Validate /api/jobs/[id] id format (alphanumeric/UUID, max 64 chars); return 400 on invalid
- Add server-side in-memory token bucket rate limiter (applyRateLimit)
- Return X-RateLimit-Limit, X-RateLimit-Remaining, Retry-After on 429
- Add integration tests covering all acceptance criteria (16 tests)

Closes ANYTECHS#499
@drips-wave

drips-wave Bot commented Jun 28, 2026

Copy link
Copy Markdown

@fridaypetra55-afk Great news! 🎉 Based on an automated assessment of this PR, the linked Wave issue(s) no longer count against your application limits.

You can now already apply to more issues while waiting for a review of this PR. Keep up the great work! 🚀

Learn more about application limits

@Emmzyemms Emmzyemms merged commit f71203a into ANYTECHS:main Jun 29, 2026
0 of 2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Add Input Validation and Rate Limiting to API Routes

2 participants