Open
Conversation
…dis support - Added edge-compatible abuse protection utilities for IP blocking and request rate limiting. - Created a new `index.ts` for the OTP abuse protection system, including functions for checking OTP send limits, blocking IPs, and managing abuse events. - Introduced types for the abuse protection system in `types.ts`. - Developed an API proxy guard to enforce rate limits and handle trusted proxy bypass rules. - Implemented Redis client initialization for Upstash in `upstash-rest.ts`.
There was a problem hiding this comment.
Pull request overview
Adds an edge-compatible abuse protection and proxy guard layer to rate-limit/deny abusive API traffic (OTP/auth and general API), backed by Upstash Redis REST, and wires it into the Next.js proxy middleware.
Changes:
- Introduces OTP abuse-protection module (Redis + memory fallback) with constants/types and Vitest coverage.
- Adds an API proxy guard that enforces per-route rate limits, IP-block checks, payload-size limits, and trusted-proxy bypass rules.
- Moves Upstash dependencies into
@ncthub/utilsand integrates the guard intoapps/webproxy middleware.
Reviewed changes
Copilot reviewed 11 out of 12 changed files in this pull request and generated 8 comments.
Show a summary per file
| File | Description |
|---|---|
| packages/utils/src/upstash-rest.ts | Adds Upstash REST env detection and client factory. |
| packages/utils/src/api-proxy-guard.ts | New proxy-level rate limiting + IP-block enforcement + bypass rules. |
| packages/utils/src/abuse-protection/constants.ts | Defines thresholds, block durations, Redis key helpers, and time windows. |
| packages/utils/src/abuse-protection/types.ts | Adds core types for abuse protection and block/event modeling. |
| packages/utils/src/abuse-protection/index.ts | Implements OTP/auth abuse checks, counters, and IP blocking logic (Redis + memory fallback). |
| packages/utils/src/abuse-protection/edge.ts | Edge-safe IP extraction + Redis-only IP-block checks for proxy/middleware usage. |
| packages/utils/src/abuse-protection/tests/index.test.ts | Adds unit tests for abuse-protection behaviors and helpers. |
| packages/utils/src/abuse-protection/tests/edge.test.ts | Adds unit tests for edge IP extraction. |
| packages/utils/package.json | Adds @upstash/redis and @upstash/ratelimit dependencies to utils package. |
| bun.lock | Updates lockfile for dependency moves/version bumps. |
| apps/web/src/proxy.ts | Wires proxy guard into middleware flow for /api requests. |
| apps/web/package.json | Removes unused Upstash deps from web app package. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
…-together and students endpoints
🔧 Biome Check ReportTotal Issues Found: 0🔧 Format Check Results
🔍 Lint Check Results
📋 Next Steps
🤖 Auto-generated by Biome Check workflow • Last updated: 3/23/2026, 6:41:20 PM
|
…gging in API proxy guard
…ion and rate limiting
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
index.tsfor the OTP abuse protection system, including functions for checking OTP send limits, blocking IPs, and managing abuse events.types.ts.upstash-rest.ts.Description
What?
Why?
How?
Screenshots for proof (must have)