Overview
src/lib/ratelimit.ts uses a module-level Map as its store. In a multi-instance deployment, each instance maintains an independent counter. A client can bypass the AUTH rate limit (5/min) by distributing 5 requests across each instance, effectively multiplying the effective limit by the number of instances.
Specifications
Features:
- Rate limits are enforced consistently across all server instances and edge nodes
- A Redis or Upstash store is used as the shared counter backend
Tasks:
- Install
@upstash/ratelimit and @upstash/redis
- Configure
UPSTASH_REDIS_REST_URL and UPSTASH_REDIS_REST_TOKEN env vars
- Implement a
RateLimiter class that switches between in-memory (dev) and Upstash (prod) based on NODE_ENV
- Update all
withRateLimit() call sites to use the new class
- Document env vars in
.env.example
Impacted Files:
src/lib/ratelimit.ts.env.example- All route files calling
withRateLimit()
Acceptance Criteria
- Rate limits are enforced globally across all instances in production
- In-memory fallback works in development without Redis configured
- Existing rate-limit tests pass using the in-memory backend
Overview
src/lib/ratelimit.tsuses a module-levelMapas its store. In a multi-instance deployment, each instance maintains an independent counter. A client can bypass the AUTH rate limit (5/min) by distributing 5 requests across each instance, effectively multiplying the effective limit by the number of instances.Specifications
Features:
Tasks:
@upstash/ratelimitand@upstash/redisUPSTASH_REDIS_REST_URLandUPSTASH_REDIS_REST_TOKENenv varsRateLimiterclass that switches between in-memory (dev) and Upstash (prod) based onNODE_ENVwithRateLimit()call sites to use the new class.env.exampleImpacted Files:
src/lib/ratelimit.ts.env.examplewithRateLimit()Acceptance Criteria