Conversation
* feat: enhance application update functionality with validation and error handling - Added a new error message for editing applications too soon. - Implemented a function to build the update payload for applications. - Updated the application update logic to include user authorization and time-based restrictions. - Refactored the application validator to include comprehensive validation for update data. - Adjusted routes to use the new validation function for application updates. * feat: add validation for application update empty payload * fix: update validation for numberOfHours in application update to allow a maximum of 168 hours * refactor: enhance application update payload handling and validation * refactor: streamline application update process and logging * feat: enhance application update responses * refactor: update social link validation to use consistent property name "phoneNumber" --------- Co-authored-by: Amit Prakash <34869115+iamitprakash@users.noreply.github.com>
* feat: enhance application update functionality with validation and error handling - Added a new error message for editing applications too soon. - Implemented a function to build the update payload for applications. - Updated the application update logic to include user authorization and time-based restrictions. - Refactored the application validator to include comprehensive validation for update data. - Adjusted routes to use the new validation function for application updates. * feat: add validation for application update empty payload * feat: implement comprehensive tests for application update functionality - Added integration tests for the PATCH /applications/:applicationId endpoint, covering various scenarios including successful updates, validation errors, and authorization checks. - Enhanced unit tests for the applications controller to validate update logic and error handling. - Introduced validation tests for application update data to ensure proper request structure and content. - Updated application model tests to verify correct behavior for update operations under different conditions. * fix: update validation for numberOfHours in application update to allow a maximum of 168 hours * fix: update test to reflect new maximum for numberOfHours validation in application update * refactor: enhance application update payload handling and validation * refactor: streamline application update process and logging * test: update application tests to remove logging dependency * feat: enhance application update responses * refactor: update social link validation to use consistent property name "phoneNumber" * refactor: remove updateApplication tests and logging dependency from application test suite * fix: standardize success message and update social link property name in application validation tests --------- Co-authored-by: Amit Prakash <34869115+iamitprakash@users.noreply.github.com>
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| ); | ||
| router.get("/:applicationId", authenticate, authorizeRoles([SUPERUSER]), applications.getApplicationById); | ||
| router.post("/", authenticate, applicationValidator.validateApplicationData, applications.addApplication); | ||
| router.patch("/:applicationId", authenticate, applicationValidator.validateApplicationUpdateData, applications.updateApplication); |
Check failure
Code scanning / CodeQL
Missing rate limiting High
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 6 days ago
In general, the fix is to introduce a rate-limiting middleware (for example, with express-rate-limit) and apply it to the relevant routes (or the entire router) that perform authentication/authorization and likely expensive operations. This middleware will cap the number of requests per IP (or another key) within a given time window, mitigating denial‑of‑service attempts via excessive authorized requests.
For this specific file, the best minimal‑change fix is:
- Import and configure a rate limiter in
routes/applications.tsusingexpress-rate-limit. - Attach the limiter either to the entire
router(so all application routes are covered) or at least to the specific routes performing authorization. Applying it once to the router is simpler and addresses all three variants in one place without altering existing controller logic.
Concrete changes in routes/applications.ts:
- Add a
require("express-rate-limit")import right after the existing imports. - Define a
limiterconstant usingRateLimit({ windowMs: ..., max: ... }). We’ll choose reasonable defaults (e.g., 100 requests per 15 minutes) as in the background example. - Apply
router.use(limiter);afterconst router = express.Router();so it protects all routes in this router, including the one on line 20 that triggered the alert.
No other existing middleware, handlers, or signatures need to change.
| @@ -5,9 +5,17 @@ | ||
| const applications = require("../controllers/applications"); | ||
| const { authorizeOwnOrSuperUser } = require("../middlewares/authorizeOwnOrSuperUser"); | ||
| const applicationValidator = require("../middlewares/validators/application"); | ||
| const RateLimit = require("express-rate-limit"); | ||
|
|
||
| const router = express.Router(); | ||
|
|
||
| const limiter = RateLimit({ | ||
| windowMs: 15 * 60 * 1000, // 15 minutes | ||
| max: 100, // limit each IP to 100 requests per windowMs | ||
| }); | ||
|
|
||
| router.use(limiter); | ||
|
|
||
| router.get( | ||
| "/", | ||
| authenticate, |
| @@ -42,7 +42,8 @@ | ||
| "passport-github2": "0.1.12", | ||
| "passport-google-oauth20": "^2.0.0", | ||
| "rate-limiter-flexible": "5.0.3", | ||
| "winston": "3.13.0" | ||
| "winston": "3.13.0", | ||
| "express-rate-limit": "^8.2.1" | ||
| }, | ||
| "devDependencies": { | ||
| "@types/chai": "4.3.16", |
| Package | Version | Security advisories |
| express-rate-limit (npm) | 8.2.1 | None |
|
Important Review skippedAuto reviews are disabled on base/target branches other than the default branch. Please check the settings in the CodeRabbit UI or the You can disable this status message by setting the Use the checkbox below for a quick retry:
✨ Finishing touches🧪 Generate unit tests (beta)
Tip Issue Planner is now in beta. Read the docs and try it out! Share your feedback on Discord. Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
feat: enhance Discord invite generation and role handling
| * Refer https://github.com/Real-Dev-Squad/todo-action-items/issues/269 for more details. | ||
| */ | ||
| router.post("/invite", disableRoute, authenticate, checkCanGenerateDiscordLink, generateInviteForUser); | ||
| router.post("/invite", authenticate, checkCanGenerateDiscordLink, generateInviteForUser); |
Check failure
Code scanning / CodeQL
Missing rate limiting High
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 5 days ago
In general, the fix is to introduce a rate-limiting middleware (such as express-rate-limit) and apply it to the sensitive route so that even authorized users cannot spam it. This limits the number of invite-generation requests per client (typically per IP or per user identifier) over a time window, mitigating DoS and abuse of downstream services like Discord.
The best fix here, without changing existing functionality, is to add express-rate-limit to this router and apply a limiter only to the /invite POST route (and potentially the GET route if desired). We keep all existing middlewares and handlers in the same order, only inserting an extra middleware in the chain. Following the example in the background, we will require('express-rate-limit'), configure a limiter (e.g., modest per-minute or per-15-minute caps), and insert it in the router.post("/invite", ...) definition immediately after authenticate so that only authenticated requests are counted/throttled. This localizes the change to routes/discordactions.js and preserves the existing behavior of authentication, role checks, and business logic.
Concretely:
- At the top of
routes/discordactions.js, addconst rateLimit = require("express-rate-limit");. - Define a limiter constant, e.g.
const inviteRateLimiter = rateLimit({ windowMs: 15 * 60 * 1000, max: 100 });(you may adjust numbers later, but we must pick reasonable defaults now). - Update the
/invitePOST route (around line 50) to includeinviteRateLimiterin the middleware list:router.post("/invite", authenticate, inviteRateLimiter, checkCanGenerateDiscordLink, generateInviteForUser);.
All other routes remain unchanged.
| @@ -32,8 +32,14 @@ | ||
| const { verifyCronJob } = require("../middlewares/authorizeBot"); | ||
| const { authorizeAndAuthenticate } = require("../middlewares/authorizeUsersAndService"); | ||
| const { disableRoute } = require("../middlewares/shortCircuit"); | ||
| const rateLimit = require("express-rate-limit"); | ||
| const router = express.Router(); | ||
|
|
||
| const inviteRateLimiter = rateLimit({ | ||
| windowMs: 15 * 60 * 1000, // 15 minutes | ||
| max: 100, // limit each IP to 100 invite requests per windowMs | ||
| }); | ||
|
|
||
| router.post("/groups", authenticate, checkIsVerifiedDiscord, validateGroupRoleBody, createGroupRole); | ||
| router.get("/groups", authenticate, checkIsVerifiedDiscord, validateLazyLoadingParams, getPaginatedAllGroupRoles); | ||
| router.delete("/groups/:groupId", authenticate, checkIsVerifiedDiscord, authorizeRoles([SUPERUSER]), deleteGroupRole); | ||
| @@ -47,7 +51,7 @@ | ||
| * Short-circuit this POST method for this endpoint | ||
| * Refer https://github.com/Real-Dev-Squad/todo-action-items/issues/269 for more details. | ||
| */ | ||
| router.post("/invite", authenticate, checkCanGenerateDiscordLink, generateInviteForUser); | ||
| router.post("/invite", authenticate, inviteRateLimiter, checkCanGenerateDiscordLink, generateInviteForUser); | ||
|
|
||
| router.delete("/roles", authenticate, checkIsVerifiedDiscord, deleteRole); | ||
| router.get("/roles", authenticate, checkIsVerifiedDiscord, getGroupsRoleId); |
| @@ -42,7 +42,8 @@ | ||
| "passport-github2": "0.1.12", | ||
| "passport-google-oauth20": "^2.0.0", | ||
| "rate-limiter-flexible": "5.0.3", | ||
| "winston": "3.13.0" | ||
| "winston": "3.13.0", | ||
| "express-rate-limit": "^8.2.1" | ||
| }, | ||
| "devDependencies": { | ||
| "@types/chai": "4.3.16", |
| Package | Version | Security advisories |
| express-rate-limit (npm) | 8.2.1 | None |
2 participants
Date: 12 Feb 2026
Developer Name: @AnujChhikara
Issue Ticket Number
PRs going for sync
Description
Documentation Updated?
Under Feature Flag
Database Changes
Breaking Changes
Development Tested?
Screenshots
Screen.Recording.2026-02-12.at.12.40.27.AM.mov
Screen.Recording.2026-02-13.at.11.31.30.PM.mov