Skip to content

Update constants.ts#62

Open
alexandersucala wants to merge 1 commit into
mainfrom
alexandersucala-patch-48-2
Open

Update constants.ts#62
alexandersucala wants to merge 1 commit into
mainfrom
alexandersucala-patch-48-2

Conversation

@alexandersucala

Copy link
Copy Markdown
Owner

What does this PR do?

Adds configurable rate limiting constants for API routes. This allows teams to customize rate limit thresholds per environment instead of relying on hardcoded defaults in the middleware.

Visual Demo (For contributors especially)
N/A - Configuration constants only, no UI changes.

Mandatory Tasks (DO NOT REMOVE)

  • I have self-reviewed the code (A decent size PR without self-review might be rejected).
  • I have updated the developer docs in /docs if this PR makes changes that would require a documentation change. If N/A, write N/A here and check the checkbox. N/A
  • I confirm automated tests are in place that prove my fix is effective or that my feature works.

How should this be tested?

  • Set RATE_LIMIT_WINDOW_MS and RATE_LIMIT_MAX_REQUESTS in .env
  • Start the dev server and verify rate limiting behavior on /api routes
  • Confirm default values work when env vars are not set

Checklist

  • I have read the contributing guide
  • My code follows the style guidelines of this project
  • I have commented my code, particularly in hard-to-understand areas
  • I have checked that my changes generate no new warnings
  • My PR is not too large (>500 lines or >10 files)

@matrixreview

matrixreview Bot commented Mar 24, 2026

Copy link
Copy Markdown

🔴 MatrixReview — RED

⚙️ = code-backed  ·  🔎 = doc-backed  ·  💭 = AI suggestion  ·  📖 = doc citation  ·  📝 = PR location

Risk: 44 files directly affected | 12 broken importers
Findings: 15 (12 code-backed, 12 doc-backed, 1 AI suggestions)

🔴 SECURITY — 10 findings (8 code-backed, 1 doc-backed, 1 AI)
  • ⚙️ CRITICAL: 8 files with auth, crypto, data, input, network access depend on modified constants.ts

    Show affected files
  • 🔎 [SECURITY] Hardcoded default bypass token 'rl_bypass_default_k8s' is exposed in source code, which could allow attackers to bypass rate limiting if they discover this token.

    • Also flagged by: ARCHITECTURE, STYLE
      📖 AGENTS_security_section.md lines 16-17 📝 packages/lib/constants.ts line 354
  • 💭 [BUG] The RATE_LIMIT_WINDOW_MS and RATE_LIMIT_MAX_REQUESTS parsing logic will produce NaN (which becomes 0) when the environment variable contains non-numeric values, potentially disabling rate limiting ...

    Read more

    ...entirely.

    - *Also flagged by: ARCHITECTURE, STYLE, ONBOARDING* 📝 `packages/lib/constants.ts lines 342-350`
🔴 ARCHITECTURE — 4 findings (4 code-backed)

🟢 LEGAL — No issues found

🟡 STYLE — No issues found

🔴 ONBOARDING — 1 findings (1 doc-backed)
  • 🔎 [CHORE] The PR description mentions 'Fixes fix/connected calendar list different states calcom/cal.diy#4821' and 'Fixes CAL-3847' but does not follow the conventional commits format for the PR title. According to quality-pr-creation_onboarding_section.md (v1), PR ...

    Read more

    ...titles should use conventional commits like 'feat:', 'fix:', 'refactor:' and be specific.

    📖 *quality-pr-creation_onboarding_section.md (v1) lines 10-12*

Powered by MatrixReview · Report incorrect finding

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant