Skip to content

fix(api): whitelist deployment endpoints from the general API rate limits #2774

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
myftija merged 1 commit into from
Dec 10, 2025
Merged

fix(api): whitelist deployment endpoints from the general API rate limits #2774

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions apps/webapp/app/services/apiRateLimit.server.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -61,6 +61,7 @@ export const apiRateLimiter = authorizationRateLimitMiddleware({
"/api/v1/auth/jwt/claims",
/^\/api\/v1\/runs\/[^\/]+\/attempts$/, // /api/v1/runs/$runFriendlyId/attempts
/^\/api\/v1\/waitpoints\/tokens\/[^\/]+\/callback\/[^\/]+$/, // /api/v1/waitpoints/tokens/$waitpointFriendlyId/callback/$hash
/^\/api\/v1\/deployments/, // /api/v1/deployments/*
Copy link
Contributor

@coderabbitai coderabbitai bot Dec 10, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

# First, let's examine the full apiRateLimit.server.ts file to understand context
cat -n apps/webapp/app/services/apiRateLimit.server.ts

Repository: triggerdotdev/trigger.dev

Length of output: 3569

🏁 Script executed:

# Read the full apiRateLimit.server.ts file
wc -l apps/webapp/app/services/apiRateLimit.server.ts

Repository: triggerdotdev/trigger.dev

Length of output: 119

🏁 Script executed:

# Get file size and content
cat -n apps/webapp/app/services/apiRateLimit.server.ts | head -100

Repository: triggerdotdev/trigger.dev

Length of output: 3569

🏁 Script executed:

# Search for /api/v1/deployments route definitions
rg -n "api/v1/deployments" --type=ts --type=tsx -g '!node_modules' -g '!*.test.*' -A 5

Repository: triggerdotdev/trigger.dev

Length of output: 96

🏁 Script executed:

# Find route files and deployment-related endpoints
find apps/webapp/app -name "*deploy*" -o -name "*route*" | head -20

Repository: triggerdotdev/trigger.dev

Length of output: 1788

🏁 Script executed:

# Search for deployment route handlers in a different way
rg "deployments" apps/webapp/app --type=ts --type=tsx -l | grep -E "(route|api)" | head -10

Repository: triggerdotdev/trigger.dev

Length of output: 96

🏁 Script executed:

# Look for routes directory structure
find apps/webapp/app -type d -name "routes" -o -name "api"

Repository: triggerdotdev/trigger.dev

Length of output: 111

🏁 Script executed:

# Search for files containing /deployments in api context
rg "deployments" apps/webapp/app --type=ts --type=tsx -B 2 -A 2 | head -100

Repository: triggerdotdev/trigger.dev

Length of output: 96

🏁 Script executed:

# List API directory structure
find apps/webapp/app/api -type f -name "*deploy*" | head -20

Repository: triggerdotdev/trigger.dev

Length of output: 51

🏁 Script executed:

# Search for deployments in the api directory
rg "deployments" apps/webapp/app/api -t js -t ts -B 2 -A 5 2>/dev/null | head -150

Repository: triggerdotdev/trigger.dev

Length of output: 51

🏁 Script executed:

# List the api directory structure
ls -la apps/webapp/app/api/ | head -30

Repository: triggerdotdev/trigger.dev

Length of output: 243

🏁 Script executed:

# Find all TypeScript files in api directory
find apps/webapp/app/api -name "*.ts" -o -name "*.js" | grep -i deploy

Repository: triggerdotdev/trigger.dev

Length of output: 51

🏁 Script executed:

# Look at the structure of api directory
find apps/webapp/app/api -type d | head -20

Repository: triggerdotdev/trigger.dev

Length of output: 88

🏁 Script executed:

# Search all app files for /api/v1/deployments references
rg "/api/v1/deployments" apps/webapp/app -t js -t ts 2>/dev/null

Repository: triggerdotdev/trigger.dev

Length of output: 172

🏁 Script executed:

# Check if deployments routes exist in routes directory
find apps/webapp/app/routes -name "*deploy*"

Repository: triggerdotdev/trigger.dev

Length of output: 1697

🏁 Script executed:

# List what's in the api folder
ls -1 apps/webapp/app/api/ 2>/dev/null | head -50

Repository: triggerdotdev/trigger.dev

Length of output: 80

🏁 Script executed:

# Examine the main deployments endpoint
cat -n apps/webapp/app/routes/api.v1.deployments.ts

Repository: triggerdotdev/trigger.dev

Length of output: 7155

🏁 Script executed:

# Check the cancel endpoint to see what operations are being whitelisted
head -50 apps/webapp/app/routes/api.v1.deployments.$deploymentId.cancel.ts

Repository: triggerdotdev/trigger.dev

Length of output: 180

🏁 Script executed:

# Check the finalize endpoint
head -50 apps/webapp/app/routes/api.v1.deployments.$deploymentId.finalize.ts

Repository: triggerdotdev/trigger.dev

Length of output: 182

🏁 Script executed:

# List the exact deployment endpoint files
ls -1 apps/webapp/app/routes/api.v1.deployments*

Repository: triggerdotdev/trigger.dev

Length of output: 729

🏁 Script executed:

# Check one of the state-changing endpoints
cat apps/webapp/app/routes/'api.v1.deployments.$deploymentId.cancel.ts' | head -40

Repository: triggerdotdev/trigger.dev

Length of output: 1488

🏁 Script executed:

# Check how many deployment endpoints there are and their purpose
for file in apps/webapp/app/routes/api.v1.deployments*.ts; do
  echo "=== $(basename "$file") ==="
  head -20 "$file" | grep -E "(export|function|route)" | head -3
done

Repository: triggerdotdev/trigger.dev

Length of output: 1374

Verify if all /api/v1/deployments/* endpoints should be excluded from rate limiting.

The pathWhiteList excludes these endpoints from rate limiting entirely. Unlike other whitelist entries (which are webhook receivers like task callbacks and waitpoint callbacks), deployment endpoints are client-facing API operations that perform state changes: creating deployments, canceling them, finalizing them, and promoting versions.

Line 64's pattern /^\/api\/v1\/deployments/ is intentionally broad and will match all deployment sub-endpoints. These endpoints require API authentication but will no longer have rate limit protection, which differs from other whitelist entries that receive external webhooks and cannot control incoming request rates.

Consider whether this broad exclusion is appropriate, or if only specific callback-like sub-paths (if any exist) should be whitelisted instead. The temporary nature mentioned in the PR does not address the current unprotected state of these resource-creation operations.

🤖 Prompt for AI Agents 
In apps/webapp/app/services/apiRateLimit.server.ts around line 64, the current
whitelist entry /^\/api\/v1\/deployments/ is too broad and removes rate-limiting
from all client-facing deployment endpoints; narrow the whitelist to only
specific webhook/callback subpaths that truly require exemption (or remove the
whitelist entry entirely) and ensure all state-changing routes (create, cancel,
finalize, promote) remain behind rate limiting and authentication; update the
pattern(s) to target only those exact callback paths (e.g., explicit /callbacks
or /webhook suffixes) or delete the entry and document the temporary exception
if it's required for a short window.

],
log: {
rejections: env.API_RATE_LIMIT_REJECTION_LOGS_ENABLED === "1",
Expand Down
Loading