[Security] Chat Rate Limiter Not Distributed Across Instances #560
Description
Summary
The MessageRateLimiter class stores rate limit state in-memory per connection, not shared across server instances.
Impact
Severity: LOW
In a multi-instance deployment, an attacker could distribute messages across different server instances to bypass rate limits.
Files Affected
/api/studio_chat_ws.py(lines 55-83)
Recommended Fix
Use Redis-backed rate limiting (slowapi with Redis storage) for chat message rate limiting, similar to REST endpoints:
from slowapi import Limiter
from slowapi.util import get_remote_address
# Configure Redis-backed limiter
limiter = Limiter(
key_func=get_remote_address,
storage_uri=settings.REDIS_URL
)
# In WebSocket handler
async def check_chat_rate_limit(user_id: str, stream_id: int) -> bool:
key = f"chat_rate:{stream_id}:{user_id}"
count = await redis.incr(key)
if count == 1:
await redis.expire(key, 60)
return count <= 60 # 60 messages per minute🤖 Generated by automated security review