Skip to content

fix(api): prevent duplicate review flooding by using upsert on user-entity pair#48

Merged
AditthyaSS merged 1 commit into
AditthyaSS:mainfrom
anshul23102:fix/38-review-rate-limit
Jun 1, 2026
Merged

fix(api): prevent duplicate review flooding by using upsert on user-entity pair#48
AditthyaSS merged 1 commit into
AditthyaSS:mainfrom
anshul23102:fix/38-review-rate-limit

Conversation

@anshul23102
Copy link
Copy Markdown
Contributor

@anshul23102 anshul23102 commented May 31, 2026

Description

POST /api/reviews had no duplicate guard or rate limit. An authenticated user could automate thousands of requests, inserting duplicate review rows and creating noise in the activity feed for all users. Each submission created two database rows (one review, one feedEvent), compounding the damage.

Related Issue

Closes #38

Type of Change

  • Bug fix (security)

Root Cause

prisma.review.create was called unconditionally. There was no uniqueness constraint enforced at the API level, and the database userId + entityType + entityId combination was not used as a deduplication key.

Changes Made

File Change
src/app/api/reviews/route.ts Replaced prisma.review.create with prisma.review.upsert keyed on userId_entityType_entityId
src/app/api/reviews/route.ts Feed event is now only emitted for genuinely new reviews (when createdAt === updatedAt), preventing duplicate feed entries on updates

How It Works

A repeat submission from the same user for the same entity now updates the existing review instead of inserting a new row. No external rate-limit store or Redis is required. The database unique index acts as the authoritative deduplication gate.

Screenshots or Demo

Not applicable (no UI change).

Testing Done

  • First submission creates a review and a feed event.
  • Second submission with the same user/entity updates the rating/comment; no new row or feed event is created.
  • Different users can each submit one review per entity.
  • Build passes with no type errors.

Checklist

  • I have read the CONTRIBUTING.md and followed its guidelines
  • My code follows the style and formatting of this project
  • I have tested my changes locally and they work as expected
  • There are no merge conflicts with the base branch
  • All CI checks are passing
  • This PR is linked to the correct issue
  • I have not used any AI-generated content in this PR

NSoC Label Request

@AditthyaSS could you please add the appropriate NSoC '26 label to this PR? Thank you!

@anshul23102
fix(api): prevent duplicate review flooding by using upsert on unique…
31d054e 
… user-entity pair

POST /api/reviews had no rate limit or duplicate guard. An authenticated
user could automate thousands of requests, filling the database with
duplicate reviews and polluting the activity feed.

Replace prisma.review.create with prisma.review.upsert keyed on the
unique compound index (userId, entityType, entityId). A repeated
submission now updates the existing review instead of inserting a new row.
The feed event is only emitted for genuinely new reviews, not for updates,
keeping the activity feed accurate.

Closes AditthyaSS#38
@vercel
Copy link
Copy Markdown

vercel Bot commented May 31, 2026

@anshul23102 is attempting to deploy a commit to the aditthyass' projects Team on Vercel.

A member of the Team first needs to authorize it.

@anshul23102 anshul23102 mentioned this pull request May 31, 2026
Closed
@AditthyaSS AditthyaSS merged commit b0e81c8 into AditthyaSS:main Jun 1, 2026
1 check failed
@MayurKharat0390 MayurKharat0390 mentioned this pull request Jun 2, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@AditthyaSS AditthyaSS AditthyaSS approved these changes

Assignees

No one assigned

Labels

level2 nsoc26

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[Security][Level 2] src/app/api/reviews/route.ts: no rate limiting on review submission allows authenticated users to flood the database

2 participants

@anshul23102 @AditthyaSS