feat(chat): add session-based chat rate limiting (#224)#283
Merged
MaryammAli merged 1 commit intoJul 1, 2026
Merged
Conversation
Add a chat-specific sliding-window rate limiter keyed by session (senderId) to prevent message flooding. Both createMessage and shareCodeSnippet share one budget and throw 429 Too Many Requests when the limit is exceeded. Closes BlockDash-Studios#224 Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
|
@Creative-Titilayo Great news! 🎉 Based on an automated assessment of this PR, the linked Wave issue(s) no longer count against your application limits. You can now already apply to more issues while waiting for a review of this PR. Keep up the great work! 🚀 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Overview
This PR adds session-based chat rate limiting to
BackendAcademy/src/chat/so a single session cannot flood chat rooms with messages. It introduces a sliding-window rate limiter keyed by session (senderId) that is scoped to the chat module and independent of the global IP-basedThrottlerGuard. When a session exceeds the limit, the API responds with429 Too Many Requestsand aretryAfterhint.Related Issue
Closes #224
Closes #219
Closes #258
Changes
⚙️ Session-Based Rate Limiter
BackendAcademy/src/chat/chat-rate-limit.tsChatRateLimiterusing a sliding-window algorithm keyed by session (senderId).ChatRateLimitConfig.check()prunes timestamps outside the window, blocks when the limit is hit, and returns aretryAfterSecondshint.DEFAULT_CHAT_RATE_LIMITand areset()helper for testing.🌐 Chat Service Integration
BackendAcademy/src/chat/chat.service.tsenforceRateLimit(senderId)that throws anHttpExceptionwith status429 Too Many Requests(payload includesstatusCode,message, andretryAfter).createMessageandshareCodeSnippetso they share one per-session budget.🧪 Tests
BackendAcademy/src/chat/chat.service.spec.ts429once a session exceeds the limit, and confirms the limit is shared acrosscreateMessageandshareCodeSnippet.Verification Results
src/chat/senderId)createMessageshareCodeSnippet(shared budget)429 Too Many RequestswithretryAfterwhen exceededThrottlerGuardNotes
Chat state is currently held in memory, so the limiter is per-instance and resets on restart — consistent with the rest of the chat module today. If chat moves to multiple instances, the limiter should be backed by Redis (a module already exists in the repo) for shared state.
🤖 Generated with Claude Code