fix(security): auth + size cap + rate limit on OCR extract endpoints (#182)

[Jose-Gael-Cruz-Lopez]

Closes #182. P2.

Vulnerability

/api/extract/pdf and /api/extract/image (routes/extract.py) took no Request and no auth guard, ran CPU-heavy Docling/tesseract OCR (up to 200 pages) for any anonymous caller, with no size cap and no rate limit. An attacker could drive unbounded OCR load/cost.

Fix

• Auth (401): get_session_user_id(request) on both routes.
• Size cap (413): 20 MB via a bounded read (read_within_limit), reusing the fix(security): newsletter exception leak + careers upload bounds (#199) #220 (fix(security): newsletter exception leak + careers upload bounds (#199) #220/PR fix(security): newsletter exception leak + careers upload bounds (#199) #220) bound/validate pattern — factored into a shared services/request_limits.py.
• Rate limit (429): per-user sliding window (check_rate_limit, 10/60s), same shape as the flashcard limiter, now in the shared module.

Tests — tests/test_extract_auth_bounds.py

Unauthenticated PDF/image → 401; oversize → 413; over-threshold → 429. All fail on pre-fix code (no auth/bounds/limiter).

Follow-ups (noted, out of scope)

• flashcard_import_service.check_rate_limit is a duplicate of the now-shared limiter and can migrate to request_limits (would make it truly "shared" per the issue). Left untouched to avoid scope creep.
• main.py's global HTTPException handler drops exc.headers, so the 429 conveys the retry budget in the detail string rather than a Retry-After header. Forwarding headers is a cross-cutting change worth its own PR.

⚠️ Auth-boundary change — do not merge, opened for your review.

[coderabbitai]

Warning

Review limit reached

@Jose-Gael-Cruz-Lopez, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 50 minutes and 18 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more credits in the billing tab to continue.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: 18424445-85d9-49fb-b3e6-fa425ef167ab

📥 Commits

Reviewing files that changed from the base of the PR and between a27b688 and ff1d670.

📒 Files selected for processing (3)

• backend/routes/extract.py
• backend/services/request_limits.py
• backend/tests/test_extract_auth_bounds.py

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch security/182-ocr-auth-bounds-ratelimit

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[cloudflare-workers-and-pages]

Deploying with    Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status	Name	Latest Commit	Preview URL	Updated (UTC)
✅ Deployment successful! View logs	frontend	ff1d670	Commit Preview URL Branch Preview URL	Jun 13 2026, 06:13 AM