Skip to content

feat(chat): add session-based chat rate limiting (#224)#283

Merged
MaryammAli merged 1 commit into
BlockDash-Studios:mainfrom
Creative-Titilayo:fix/issue-224-chat-rate-limiting
Jul 1, 2026
Merged

feat(chat): add session-based chat rate limiting (#224)#283
MaryammAli merged 1 commit into
BlockDash-Studios:mainfrom
Creative-Titilayo:fix/issue-224-chat-rate-limiting

Conversation

@Creative-Titilayo

@Creative-Titilayo Creative-Titilayo commented Jun 30, 2026

Copy link
Copy Markdown
Contributor

Overview

This PR adds session-based chat rate limiting to BackendAcademy/src/chat/ so a single session cannot flood chat rooms with messages. It introduces a sliding-window rate limiter keyed by session (senderId) that is scoped to the chat module and independent of the global IP-based ThrottlerGuard. When a session exceeds the limit, the API responds with 429 Too Many Requests and a retryAfter hint.

Related Issue

Closes #224
Closes #219
Closes #258

Changes

⚙️ Session-Based Rate Limiter

  • [ADD] BackendAcademy/src/chat/chat-rate-limit.ts
  • Added a ChatRateLimiter using a sliding-window algorithm keyed by session (senderId).
  • Default policy: 10 messages per 10 seconds, configurable via ChatRateLimitConfig.
  • check() prunes timestamps outside the window, blocks when the limit is hit, and returns a retryAfterSeconds hint.
  • Exposed DEFAULT_CHAT_RATE_LIMIT and a reset() helper for testing.

🌐 Chat Service Integration

  • [MODIFY] BackendAcademy/src/chat/chat.service.ts
  • Added a private enforceRateLimit(senderId) that throws an HttpException with status 429 Too Many Requests (payload includes statusCode, message, and retryAfter).
  • Wired the check into both createMessage and shareCodeSnippet so they share one per-session budget.

🧪 Tests

  • [MODIFY] BackendAcademy/src/chat/chat.service.spec.ts
  • Added limiter-level tests: allows up to the limit then blocks, isolates sessions, and resets after the window elapses.
  • Added service-level tests: rejects with 429 once a session exceeds the limit, and confirms the limit is shared across createMessage and shareCodeSnippet.

Verification Results

npm run typecheck (tsc --noEmit)  ✅ passed
npm test -- src/chat              ✅ passed (6/6)
npm run build (nest build)        ✅ passed
npm run lint                      ⚠️ existing repo issue only (no ESLint config present on main)
Acceptance Criteria Status
Chat-specific rate limiting added under src/chat/
Limiting is session-based (keyed by senderId)
Applies to createMessage
Applies to shareCodeSnippet (shared budget)
Returns 429 Too Many Requests with retryAfter when exceeded
Independent of the global IP-based ThrottlerGuard
Build passes successfully
Chat service tests pass successfully

Notes

Chat state is currently held in memory, so the limiter is per-instance and resets on restart — consistent with the rest of the chat module today. If chat moves to multiple instances, the limiter should be backed by Redis (a module already exists in the repo) for shared state.

🤖 Generated with Claude Code

Add a chat-specific sliding-window rate limiter keyed by session
(senderId) to prevent message flooding. Both createMessage and
shareCodeSnippet share one budget and throw 429 Too Many Requests
when the limit is exceeded.

Closes BlockDash-Studios#224

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@drips-wave

drips-wave Bot commented Jun 30, 2026

Copy link
Copy Markdown

@Creative-Titilayo Great news! 🎉 Based on an automated assessment of this PR, the linked Wave issue(s) no longer count against your application limits.

You can now already apply to more issues while waiting for a review of this PR. Keep up the great work! 🚀

Learn more about application limits

@MaryammAli MaryammAli merged commit 33a450e into BlockDash-Studios:main Jul 1, 2026
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Add backend support for daily summaries Add session-based chat rate limiting Add live session attendance tracking

2 participants