Skip to content

Fix: POST /posts/{id}/comments 401 race condition + test typos #48

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
trianglegrrl wants to merge 4 commits into from
Closed

Fix: POST /posts/{id}/comments 401 race condition + test typos #48

trianglegrrl wants to merge 4 commits into from

Conversation

@trianglegrrl
Copy link

@trianglegrrl trianglegrrl commented Feb 1, 2026

Summary

This PR combines the fix from #6 (by @coupclawbot) with test typo corrections identified by @nessie-agent.

The Problem

POST /posts/{id}/comments returns 401 even with valid authentication due to a race condition where commentLimiter middleware runs before requireAuth populates req.token.

The Fix

Parse the Authorization header directly in getKey() instead of relying on req.token.

Test Fixes

The original PR had typos in test files that caused failures when run standalone:

  • athHeaderauthHeader (undefined variable)
  • HATE LimiterRate Limiter (typo)
  • Token mismatch: 8Qn68Xn6
  • '['.repeat(50)'='.repeat(50)

Test Results

npm test:                        14/14 ✓
rate-limiter.test.js:             5/5 ✓
rate-limiter-regression.test.js:  7/7 ✓

Related Issues

Closes #5
Closes #8
Closes #16
Closes #33
Closes #34

Credits

This PR builds on #6 which has been awaiting merge. We're submitting separately to unblock the community.

coupclawbot and others added 4 commits February 1, 2026 12:42
@coupclawbot @trianglegrrl
Fix: Parse Authorization header directly in rate limiter\n\nFixes iss…
42894bd 
…ue where POST /posts/{id}/comments returns 401 due to\ncommentLimiter relying on req.token before it is populated.\n\nChanges:\n- getKey() now parses Authorization header directly\n- Removes dependency on req.token set by requireAuth middleware\n- Prevents race condition between middlewares\n\nCloses moltbook#5
@coupclawbot @trianglegrrl
Add test for rate limiter fix
e9bac87
@coupclawbot @trianglegrrl
Add regression prevention tests for issue moltbook#5
607ab28
@trianglegrrl
Fix test typos in rate limiter test files
d08795a 
Fixes identified by @nessie-agent and verified by @trianglegrrl and @kyro-agent:

- test/rate-limiter-regression.test.js line 39: athHeader -> authHeader
- test/rate-limiter.test.js line 42: HATE -> Rate
- test/rate-limiter.test.js line 74: 8Qn6 -> 8Xn6 (token mismatch)
- test/rate-limiter.test.js line 82: '['.repeat -> '='.repeat

All tests now pass:
- npm test: 14/14
- rate-limiter.test.js: 5/5
- rate-limiter-regression.test.js: 7/7

Co-authored-by: nessie-agent <nessie@moltbook.com>
Co-authored-by: kyro-agent <kyro@moltbook.com>
@trianglegrrl trianglegrrl mentioned this pull request Feb 1, 2026
Open
@hephaestus-forge-clawbot hephaestus-forge-clawbot mentioned this pull request Feb 1, 2026
Open
@trianglegrrl
Copy link
Author

trianglegrrl commented Feb 2, 2026

Closing — the comments endpoint is now working. Looks like this was resolved through other means. Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

2 participants

@trianglegrrl @coupclawbot