fix(rate-limit): close rate-limit bypass and tighten public route limits (#4591)

* fix(rate-limit): close rate-limit bypass and tighten public route limits

* fix(rate-limit): address PR review — drop success field from 429 body, fall back to per-IP when JWT auth lacks userId

Author: waleedlatif1

apps/sim/app/api/auth/socket-token/route.ts

@@ -1,18 +1,26 @@
 import { createLogger } from '@sim/logger'
 import { toError } from '@sim/utils/errors'
 import { headers } from 'next/headers'
-import { NextResponse } from 'next/server'
+import { type NextRequest, NextResponse } from 'next/server'
 import { auth } from '@/lib/auth'
 import { isAuthDisabled } from '@/lib/core/config/feature-flags'
+import { enforceIpRateLimit } from '@/lib/core/rate-limiter'
 import { withRouteHandler } from '@/lib/core/utils/with-route-handler'
 
 const logger = createLogger('SocketTokenAPI')
 
-export const POST = withRouteHandler(async () => {
+export const POST = withRouteHandler(async (request: NextRequest) => {
   if (isAuthDisabled) {
     return NextResponse.json({ token: 'anonymous-socket-token' })
   }
 
+  const rateLimited = await enforceIpRateLimit('socket-token', request, {
+    maxTokens: 30,
+    refillRate: 30,
+    refillIntervalMs: 60_000,
+  })
+  if (rateLimited) return rateLimited
+
   try {
     const hdrs = await headers()
     const response = await auth.api.generateOneTimeToken({

apps/sim/app/api/auth/sso/providers/route.ts

@@ -5,6 +5,7 @@ import { type NextRequest, NextResponse } from 'next/server'
 import { listSsoProvidersContract } from '@/lib/api/contracts/auth'
 import { parseRequest } from '@/lib/api/server'
 import { getSession } from '@/lib/auth'
+import { enforceIpRateLimit } from '@/lib/core/rate-limiter'
 import { REDACTED_MARKER } from '@/lib/core/security/redaction'
 import { withRouteHandler } from '@/lib/core/utils/with-route-handler'
 
@@ -13,6 +14,14 @@ const logger = createLogger('SSOProvidersRoute')
 export const GET = withRouteHandler(async (request: NextRequest) => {
   try {
     const session = await getSession()
+    if (!session?.user?.id) {
+      const rateLimited = await enforceIpRateLimit('sso-providers', request, {
+        maxTokens: 20,
+        refillRate: 20,
+        refillIntervalMs: 60_000,
+      })
+      if (rateLimited) return rateLimited
+    }
     const parsed = await parseRequest(listSsoProvidersContract, request, {})
     if (!parsed.success) return parsed.response
     const { organizationId } = parsed.data.query

apps/sim/app/api/chat/[identifier]/otp/route.test.ts

@@ -423,7 +423,7 @@ describe('Chat OTP API Route', () => {
       expect(headerSet).toHaveBeenCalledWith('Retry-After', '900')
     })
 
-    it('skips IP rate limit when client IP is unknown', async () => {
+    it('folds spoofed `unknown` client IPs into a single shared bucket', async () => {
       requestUtilsMockFns.mockGetClientIp.mockReturnValueOnce('unknown')
       buildDeploymentSelect()
 
@@ -434,8 +434,11 @@ describe('Chat OTP API Route', () => {
 
       await POST(request, { params: Promise.resolve({ identifier: mockIdentifier }) })
 
-      // Only the email-scoped check should run, not the IP-scoped one
-      expect(mockCheckRateLimitDirect).toHaveBeenCalledTimes(1)
+      expect(mockCheckRateLimitDirect).toHaveBeenCalledTimes(2)
+      expect(mockCheckRateLimitDirect).toHaveBeenCalledWith(
+        expect.stringMatching(/^chat-otp:ip:.*:unknown$/),
+        expect.any(Object)
+      )
       expect(mockCheckRateLimitDirect).toHaveBeenCalledWith(
         expect.stringContaining('chat-otp:email:'),
         expect.any(Object)

apps/sim/app/api/chat/[identifier]/otp/route.ts

@@ -223,20 +223,18 @@ export const POST = withRouteHandler(
 
     try {
       const ip = getClientIp(request)
-      if (ip !== 'unknown') {
-        const ipRateLimit = await rateLimiter.checkRateLimitDirect(
-          `chat-otp:ip:${identifier}:${ip}`,
-          OTP_IP_RATE_LIMIT
+      const ipRateLimit = await rateLimiter.checkRateLimitDirect(
+        `chat-otp:ip:${identifier}:${ip}`,
+        OTP_IP_RATE_LIMIT
+      )
+      if (!ipRateLimit.allowed) {
+        logger.warn(`[${requestId}] OTP IP rate limit exceeded for ${identifier} from ${ip}`)
+        const retryAfter = Math.ceil(
+          (ipRateLimit.retryAfterMs ?? OTP_IP_RATE_LIMIT.refillIntervalMs) / 1000
         )
-        if (!ipRateLimit.allowed) {
-          logger.warn(`[${requestId}] OTP IP rate limit exceeded for ${identifier} from ${ip}`)
-          const retryAfter = Math.ceil(
-            (ipRateLimit.retryAfterMs ?? OTP_IP_RATE_LIMIT.refillIntervalMs) / 1000
-          )
-          const response = createErrorResponse('Too many requests. Please try again later.', 429)
-          response.headers.set('Retry-After', String(retryAfter))
-          return addCorsHeaders(response, request)
-        }
+        const response = createErrorResponse('Too many requests. Please try again later.', 429)
+        response.headers.set('Retry-After', String(retryAfter))
+        return addCorsHeaders(response, request)
       }
 
       const parsed = await parseRequest(requestChatEmailOtpContract, request, context, {

apps/sim/app/api/chat/[identifier]/sso/route.ts

@@ -30,20 +30,18 @@ export const POST = withRouteHandler(
     const requestId = generateRequestId()
 
     const ip = getClientIp(request)
-    if (ip !== 'unknown') {
-      const ipRateLimit = await rateLimiter.checkRateLimitDirect(
-        `chat-sso:ip:${ip}`,
-        SSO_IP_RATE_LIMIT
+    const ipRateLimit = await rateLimiter.checkRateLimitDirect(
+      `chat-sso:ip:${ip}`,
+      SSO_IP_RATE_LIMIT
+    )
+    if (!ipRateLimit.allowed) {
+      logger.warn(`[${requestId}] SSO eligibility rate limit exceeded from ${ip}`)
+      const retryAfter = Math.ceil(
+        (ipRateLimit.retryAfterMs ?? SSO_IP_RATE_LIMIT.refillIntervalMs) / 1000
       )
-      if (!ipRateLimit.allowed) {
-        logger.warn(`[${requestId}] SSO eligibility rate limit exceeded from ${ip}`)
-        const retryAfter = Math.ceil(
-          (ipRateLimit.retryAfterMs ?? SSO_IP_RATE_LIMIT.refillIntervalMs) / 1000
-        )
-        const response = createErrorResponse('Too many requests. Please try again later.', 429)
-        response.headers.set('Retry-After', String(retryAfter))
-        return addCorsHeaders(response, request)
-      }
+      const response = createErrorResponse('Too many requests. Please try again later.', 429)
+      response.headers.set('Retry-After', String(retryAfter))
+      return addCorsHeaders(response, request)
     }
 
     const parsed = await parseRequest(chatSSOContract, request, context)

apps/sim/app/api/telemetry/route.ts

@@ -4,6 +4,7 @@ import { telemetryContract } from '@/lib/api/contracts/telemetry'
 import { parseRequest } from '@/lib/api/server'
 import { env } from '@/lib/core/config/env'
 import { isProd } from '@/lib/core/config/feature-flags'
+import { enforceIpRateLimit } from '@/lib/core/rate-limiter'
 import { withRouteHandler } from '@/lib/core/utils/with-route-handler'
 
 const logger = createLogger('TelemetryAPI')
@@ -148,6 +149,13 @@ async function forwardToCollector(data: Record<string, unknown>): Promise<boolea
  * Endpoint that receives telemetry events and forwards them to OpenTelemetry collector
  */
 export const POST = withRouteHandler(async (req: NextRequest) => {
+  const rateLimited = await enforceIpRateLimit('telemetry', req, {
+    maxTokens: 60,
+    refillRate: 30,
+    refillIntervalMs: 60_000,
+  })
+  if (rateLimited) return rateLimited
+
   try {
     const parsed = await parseRequest(telemetryContract, req, {})
     if (!parsed.success) return parsed.response

apps/sim/app/api/templates/[id]/route.ts

@@ -7,7 +7,8 @@ import { type NextRequest, NextResponse } from 'next/server'
 import { templateIdParamsSchema, updateTemplateContract } from '@/lib/api/contracts/templates'
 import { parseRequest } from '@/lib/api/server'
 import { getSession } from '@/lib/auth'
-import { generateRequestId } from '@/lib/core/utils/request'
+import { RateLimiter } from '@/lib/core/rate-limiter'
+import { generateRequestId, getClientIp } from '@/lib/core/utils/request'
 import { withRouteHandler } from '@/lib/core/utils/with-route-handler'
 import { canAccessTemplate } from '@/lib/templates/permissions'
 import {
@@ -18,6 +19,18 @@ import type { WorkflowState } from '@/stores/workflows/workflow/types'
 
 const logger = createLogger('TemplateByIdAPI')
 
+const viewRateLimiter = new RateLimiter()
+
+/**
+ * Per-IP, per-template view-counter dedup bucket: one increment per 10 minutes.
+ * Prevents scripted inflation of `templates.views` from the public GET handler.
+ */
+const TEMPLATE_VIEW_DEDUP = {
+  maxTokens: 1,
+  refillRate: 1,
+  refillIntervalMs: 10 * 60_000,
+}
+
 export const revalidate = 0
 
 export const GET = withRouteHandler(
@@ -63,21 +76,31 @@ export const GET = withRouteHandler(
         isStarred = starResult.length > 0
       }
 
-      const shouldIncrementView = template.status === 'approved'
+      let shouldIncrementView = template.status === 'approved'
 
       if (shouldIncrementView) {
-        try {
-          await db
-            .update(templates)
-            .set({
-              views: sql`${templates.views} + 1`,
-            })
-            .where(eq(templates.id, id))
-        } catch (viewError) {
-          logger.warn(
-            `[${requestId}] Failed to increment view count for template: ${id}`,
-            viewError
-          )
+        const viewer = session?.user?.id ?? `ip:${getClientIp(request)}`
+        const dedupKey = `template-view:${id}:${viewer}`
+        const { allowed } = await viewRateLimiter.checkRateLimitDirect(
+          dedupKey,
+          TEMPLATE_VIEW_DEDUP
+        )
+        if (!allowed) {
+          shouldIncrementView = false
+        } else {
+          try {
+            await db
+              .update(templates)
+              .set({
+                views: sql`${templates.views} + 1`,
+              })
+              .where(eq(templates.id, id))
+          } catch (viewError) {
+            logger.warn(
+              `[${requestId}] Failed to increment view count for template: ${id}`,
+              viewError
+            )
+          }
         }
       }
 

apps/sim/app/api/tools/a2a/cancel-task/route.ts

@@ -5,6 +5,7 @@ import { createA2AClient } from '@/lib/a2a/utils'
 import { a2aCancelTaskContract } from '@/lib/api/contracts/tools/a2a'
 import { getValidationErrorMessage, parseRequest } from '@/lib/api/server'
 import { checkSessionOrInternalAuth } from '@/lib/auth/hybrid'
+import { enforceUserOrIpRateLimit } from '@/lib/core/rate-limiter'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { withRouteHandler } from '@/lib/core/utils/with-route-handler'
 
@@ -29,6 +30,13 @@ export const POST = withRouteHandler(async (request: NextRequest) => {
       )
     }
 
+    const rateLimited = await enforceUserOrIpRateLimit(
+      'a2a-cancel-task',
+      authResult.userId,
+      request
+    )
+    if (rateLimited) return rateLimited
+
     const parsed = await parseRequest(
       a2aCancelTaskContract,
       request,

apps/sim/app/api/tools/a2a/delete-push-notification/route.ts

@@ -4,6 +4,7 @@ import { createA2AClient } from '@/lib/a2a/utils'
 import { a2aDeletePushNotificationContract } from '@/lib/api/contracts/tools/a2a'
 import { getValidationErrorMessage, parseRequest } from '@/lib/api/server'
 import { checkSessionOrInternalAuth } from '@/lib/auth/hybrid'
+import { enforceUserOrIpRateLimit } from '@/lib/core/rate-limiter'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { withRouteHandler } from '@/lib/core/utils/with-route-handler'
 
@@ -30,6 +31,13 @@ export const POST = withRouteHandler(async (request: NextRequest) => {
       )
     }
 
+    const rateLimited = await enforceUserOrIpRateLimit(
+      'a2a-delete-push-notification',
+      authResult.userId,
+      request
+    )
+    if (rateLimited) return rateLimited
+
     logger.info(
       `[${requestId}] Authenticated A2A delete push notification request via ${authResult.authType}`,
       {

apps/sim/app/api/tools/a2a/get-agent-card/route.ts

@@ -4,6 +4,7 @@ import { createA2AClient } from '@/lib/a2a/utils'
 import { a2aGetAgentCardContract } from '@/lib/api/contracts/tools/a2a'
 import { getValidationErrorMessage, parseRequest } from '@/lib/api/server'
 import { checkSessionOrInternalAuth } from '@/lib/auth/hybrid'
+import { enforceUserOrIpRateLimit } from '@/lib/core/rate-limiter'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { withRouteHandler } from '@/lib/core/utils/with-route-handler'
 
@@ -28,6 +29,13 @@ export const POST = withRouteHandler(async (request: NextRequest) => {
       )
     }
 
+    const rateLimited = await enforceUserOrIpRateLimit(
+      'a2a-get-agent-card',
+      authResult.userId,
+      request
+    )
+    if (rateLimited) return rateLimited
+
     logger.info(
       `[${requestId}] Authenticated A2A get agent card request via ${authResult.authType}`,
       {