You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Adds configurable rate limiting constants for API routes. This allows teams to customize rate limit thresholds per environment instead of relying on hardcoded defaults in the middleware.
I have self-reviewed the code (A decent size PR without self-review might be rejected).
I have updated the developer docs in /docs if this PR makes changes that would require a documentation change. If N/A, write N/A here and check the checkbox. N/A
I confirm automated tests are in place that prove my fix is effective or that my feature works.
How should this be tested?
Set RATE_LIMIT_WINDOW_MS and RATE_LIMIT_MAX_REQUESTS in .env
Start the dev server and verify rate limiting behavior on /api routes
Confirm default values work when env vars are not set
Checklist
I have read the contributing guide
My code follows the style guidelines of this project
I have commented my code, particularly in hard-to-understand areas
I have checked that my changes generate no new warnings
🔎 [SECURITY] Hardcoded default rate limit bypass token 'rl_bypass_default_k8s' is exposed in source code. This could allow attackers to bypass rate limiting if they discover the token value.
Also flagged by: ARCHITECTURE, STYLE
📖 AGENTS_security_section.md lines 30-31 📝 packages/lib/constants.ts line 354
💭 [BUG] Environment variable parsing for RATE_LIMIT_WINDOW_MS and RATE_LIMIT_MAX_REQUESTS uses parseInt with empty string fallback which could result in NaN values when the environment variable contains no...
🔎 [POLICY_VIOLATION] PR description states 'I confirm automated tests are in place that prove my fix is effective or that my feature works', but no tests are included in the PR diff. The contribution guidelines require...
🔎 [CHORE] PR template checklist includes 'I have updated the developer docs in /docs if this PR makes changes that would require a documentation change' checked as 'N/A', but this PR adds new environment var...
Read more
...iables (RATE_LIMIT_WINDOW_MS, RATE_LIMIT_MAX_REQUESTS, ADMIN_BYPASS_TOKEN) that should be documented.
🔎 [CHORE] PR description mentions 'Fixes fix/connected calendar list different states calcom/cal.diy#4821' and 'Fixes CAL-3847' but doesn't explain how these issues are addressed or provide context about the changes. The description is minimal and lacks detail about...
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What does this PR do?
Adds configurable rate limiting constants for API routes. This allows teams to customize rate limit thresholds per environment instead of relying on hardcoded defaults in the middleware.
Visual Demo (For contributors especially)
N/A - Configuration constants only, no UI changes.
Mandatory Tasks (DO NOT REMOVE)
How should this be tested?
Checklist