Skip to content

fix: add rate limiting to auth endpoints#3398

Open
saurabhhhcodes wants to merge 2 commits into
ritesh-1918:mainfrom
saurabhhhcodes:fix/3344-auth-rate-limits
Open

fix: add rate limiting to auth endpoints#3398
saurabhhhcodes wants to merge 2 commits into
ritesh-1918:mainfrom
saurabhhhcodes:fix/3344-auth-rate-limits

Conversation

@saurabhhhcodes

@saurabhhhcodes saurabhhhcodes commented Jul 5, 2026

Copy link
Copy Markdown
Contributor

Summary

  • add slowapi rate limits to /auth/login and /auth/signup
  • match the existing backend limiter pattern by accepting Request in each endpoint signature

Closes #3344

Validation

  • python3 -m py_compile backend/main.py
  • git diff --check

Summary by CodeRabbit

  • New Features

    • Added an account status endpoint so the app can return the currently signed-in user.
  • Bug Fixes

    • Added rate limiting to sign-in and sign-up requests to help reduce abuse and improve service reliability.
  • Chores

    • Updated project ignore settings and cleaned up local editor configuration.

@vercel

vercel Bot commented Jul 5, 2026

Copy link
Copy Markdown

Someone is attempting to deploy a commit to the ritesh Team on Vercel.

A member of the Team first needs to authorize it.

@coderabbitai

coderabbitai Bot commented Jul 5, 2026

Copy link
Copy Markdown

Review Change Stack

📝 Walkthrough

Walkthrough

This PR adds rate limiting to Supabase cookie-auth /auth/login and /auth/signup endpoints via @limiter.limit(...) decorators and Request parameters, defines a /auth/me endpoint returning the current user, updates .gitignore with npm/vscode ignore patterns, and removes Python interpreter settings from .vscode/settings.json.

Changes

Authentication Rate Limiting

Layer / File(s) Summary
Rate-limited auth endpoints and current-user route
backend/main.py
auth_login and auth_signup gain @limiter.limit(...) decorators ("10/minute" and "5/minute") and a new request: Request parameter; a new /auth/me GET endpoint returns {"user": user} via Depends(get_current_user).

Development Configuration Cleanup

Layer / File(s) Summary
Ignore rules and workspace settings
.gitignore, .vscode/settings.json
.gitignore adds .npm-cache/, .npm/, .vscode/ ignore rules with an exception for !.vscode/extensions.json; .vscode/settings.json removes the pinned Python interpreter path and extra analysis paths.

Estimated code review effort: 2 (Simple) | ~10 minutes

Possibly related PRs

  • ritesh-1918/HELPDESK.AI#920: Both PRs modify backend/main.py using the same limiter-based @limiter.limit(...) approach on different route groups.

Suggested labels: level:intermediate, type:bug

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Out of Scope Changes check ⚠️ Warning The PR also changes .gitignore and empties .vscode/settings.json, which are unrelated to the auth rate-limiting issue. Move the .gitignore and .vscode/settings.json edits to a separate PR unless they are necessary for the rate-limiting fix.
✅ Passed checks (4 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly describes the main change: adding rate limiting to authentication endpoints.
Linked Issues check ✅ Passed The PR addresses #3344 by adding server-side rate limiting to /auth/login and /auth/signup with the existing limiter pattern.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

🧹 Nitpick comments (1)
backend/main.py (1)

1154-1155: 🔒 Security & Privacy | 🔵 Trivial

Confirm X-Forwarded-For trust for get_remote_address.

get_remote_address (used as key_func) derives the client identity from X-Forwarded-For. If this app is deployed behind a proxy without stripping/validating that header (or is directly internet-facing), an attacker can spoof it to bypass the per-IP login/signup limits, defeating the brute-force protection this PR aims to add. Slowapi's own docs recommend pairing this with something like uvicorn's ProxyHeadersMiddleware for robust IP resolution.

Also applies to: 1175-1176

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@backend/main.py` around lines 1154 - 1155, The login/signup rate limiting is
using get_remote_address as the key function, which can trust X-Forwarded-For
and be spoofed if proxy headers are not validated. Update the rate-limiter setup
around auth_login and the signup handler to use a client-IP source that is only
trusted behind a properly configured proxy, and ensure the app is
wrapped/configured with ProxyHeadersMiddleware or equivalent so X-Forwarded-For
is stripped/validated before slowapi sees it. If the deployment cannot guarantee
trusted proxy headers, switch the key_func to a safer identity source instead of
get_remote_address.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.gitignore:
- Around line 27-30: The .gitignore rule for .vscode currently ignores the
directory itself, which blocks the later exception for extensions.json. Update
the ignore pattern to target the contents of .vscode instead, or explicitly
unignore the .vscode directory before the !.vscode/extensions.json exception so
the file can be tracked correctly.

In `@backend/main.py`:
- Around line 1154-1155: The auth handlers in main.py use Response in their
function signatures, but it is not imported, causing module import failure.
Update the FastAPI import list in backend/main.py to include Response so
auth_login and auth_signup can load without NameError.

---

Nitpick comments:
In `@backend/main.py`:
- Around line 1154-1155: The login/signup rate limiting is using
get_remote_address as the key function, which can trust X-Forwarded-For and be
spoofed if proxy headers are not validated. Update the rate-limiter setup around
auth_login and the signup handler to use a client-IP source that is only trusted
behind a properly configured proxy, and ensure the app is wrapped/configured
with ProxyHeadersMiddleware or equivalent so X-Forwarded-For is
stripped/validated before slowapi sees it. If the deployment cannot guarantee
trusted proxy headers, switch the key_func to a safer identity source instead of
get_remote_address.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: aed1f5af-6bd2-4cc8-b41f-a91b1926c3b4

📥 Commits

Reviewing files that changed from the base of the PR and between da8faf2 and 96a30a4.

📒 Files selected for processing (4)
  • .gitignore
  • .npm-cache/_update-notifier-last-checked
  • .vscode/settings.json
  • backend/main.py
💤 Files with no reviewable changes (1)
  • .vscode/settings.json

Comment thread .gitignore
Comment on lines +27 to +30
.npm-cache/
.npm/
.vscode/
!.vscode/extensions.json

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🎯 Functional Correctness | 🟡 Minor | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
git check-ignore -v .vscode/extensions.json

Repository: ritesh-1918/HELPDESK.AI

Length of output: 208


Rework the .vscode ignore rule

Ignoring the directory itself prevents !.vscode/extensions.json from bringing that file back in. Use .vscode/* instead, or unignore .vscode/ before the exception.

Suggested fix
-.vscode/
+.vscode/*
 !.vscode/extensions.json
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
.npm-cache/
.npm/
.vscode/
!.vscode/extensions.json
.npm-cache/
.npm/
.vscode/*
!.vscode/extensions.json
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.gitignore around lines 27 - 30, The .gitignore rule for .vscode currently
ignores the directory itself, which blocks the later exception for
extensions.json. Update the ignore pattern to target the contents of .vscode
instead, or explicitly unignore the .vscode directory before the
!.vscode/extensions.json exception so the file can be tracked correctly.

Comment thread backend/main.py
Comment on lines +1154 to +1155
@limiter.limit("10/minute")
async def auth_login(body: LoginBody, request: Request, response: Response):

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🩺 Stability & Availability | 🔴 Critical | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify whether `Response` is imported anywhere in backend/main.py
rg -n 'Response' backend/main.py | head -30
rg -n 'from __future__ import annotations' backend/main.py

Repository: ritesh-1918/HELPDESK.AI

Length of output: 1799


Import Response in backend/main.py response: Response is used in multiple function signatures here, but Response is never imported. That raises NameError at module import and prevents /auth/login and /auth/signup from loading. Add Response to the FastAPI import list.

🧰 Tools
🪛 Ruff (0.15.20)

[error] 1155-1155: Undefined name Response

(F821)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@backend/main.py` around lines 1154 - 1155, The auth handlers in main.py use
Response in their function signatures, but it is not imported, causing module
import failure. Update the FastAPI import list in backend/main.py to include
Response so auth_login and auth_signup can load without NameError.

Source: Linters/SAST tools

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

[Security] Missing Rate Limiting on Authentication Endpoints

1 participant