fix: add guest limits and rate limiting to booking-guests endpoint #27494
+33
−5
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
- Add ArrayMaxSize(10) validation to limit guests per request to 10 - Add aggressive rate limiting (5 requests/minute) via @Throttle decorator - Add total guest limit check (max 30 guests per booking) to prevent abuse - Update API documentation to reflect new limits This prevents scammers from using the endpoint to send spam emails to hundreds of guests through our system. Co-Authored-By: morgan@cal.com <morgan@cal.com>
Contributor
🤖 Devin AI EngineerI'll be helping with this pull request! Here's what you should know: ✅ I will automatically:
Note: I can only respond to comments from users who have write access to this repository. ⚙️ Control Options:
|
keithwillcode
previously approved these changes
Feb 2, 2026
graphite-app
bot
added
foundation
ready-for-e2e
core
![cubic-dev-ai[bot]](https://avatars.githubusercontent.com/in/1082092?s=60&v=4){kind=small}
Co-Authored-By: morgan@cal.com <morgan@cal.com>
ThyMinimalDev
force-pushed
the
devin/1770022907-limit-booking-guests
branch
from
1ce1cb1 to
931e5d4
Compare
ThyMinimalDev
added a commit
that referenced
this pull request
Feb 2, 2026
…27494) * fix: add guest limits and rate limiting to booking-guests endpoint - Add ArrayMaxSize(10) validation to limit guests per request to 10 - Add aggressive rate limiting (5 requests/minute) via @Throttle decorator - Add total guest limit check (max 30 guests per booking) to prevent abuse - Update API documentation to reflect new limits This prevents scammers from using the endpoint to send spam emails to hundreds of guests through our system. Co-Authored-By: morgan@cal.com <morgan@cal.com> * docs: update openapi.json with guest limits and rate limiting info Co-Authored-By: morgan@cal.com <morgan@cal.com> --------- Co-authored-by: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com>
Contributor
E2E results are ready! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What does this PR do?
Adds multiple layers of protection to the booking-guests API endpoint to prevent abuse by scammers who could use it to send spam emails to hundreds of guests through our system.
Changes:
ArrayMaxSize)Mandatory Tasks (DO NOT REMOVE)
How should this be tested?
BadRequestExceptionwith helpful message showing remaining slotsChecklist
Human Review Checklist
booking.attendees.length(which includes all attendees, not just guests) is the intended behavior for the 30-guest limitUpdates since last revision
minItems: 1from openapi.json to avoid breaking change CI failure (the validation already existed in code via@ArrayMinSize(1), but documenting it in openapi.json was flagged as a breaking API change)Link to Devin run: https://app.devin.ai/sessions/f4f2e369887d41f7b2261353a29e052c
Requested by: @ThyMinimalDev