Skip to content

fix: prevent unauthenticated click fraud on POST /api/links/:id/click#281

Open
aarushlohit wants to merge 1 commit into
mayo-byte07:mainfrom
aarushlohit:fix/click-fraud-rate-limit
Open

fix: prevent unauthenticated click fraud on POST /api/links/:id/click#281
aarushlohit wants to merge 1 commit into
mayo-byte07:mainfrom
aarushlohit:fix/click-fraud-rate-limit

Conversation

@aarushlohit

Copy link
Copy Markdown

Description
Fixes #139 — Unauthenticated click-count inflation via link ID enumeration. The POST /api/links/:id/click endpoint had no auth or rate limiting, letting attackers enumerate UUIDs and inflate click counters arbitrarily.
Changes Made

  • Added clickLimiter — rate limit of 30 requests per 15 minutes per IP using express-rate-limit, consistent with existing limiter patterns in the codebase
  • Added IP-based deduplication — in-memory Map keyed by {clientIp}:{linkId} with 1-hour TTL prevents the same visitor from counting multiple clicks on the same link
  • Added cleanup on 404 — if the link doesn't exist, the dedup entry is removed so invalid IDs don't poison the dedup map
  • Periodic cleanup — setInterval evicts stale dedup entries every 5 minutes to prevent memory leak

- Add rate limiter (30 req/15min per IP) to prevent rapid click inflation
- Add IP-based deduplication (1hr TTL) to prevent same visitor recounting
- Clean up dedup entries on link-not-found to avoid phantom entries

Fixes mayo-byte07#139
@vercel

vercel Bot commented Jun 17, 2026

Copy link
Copy Markdown
Contributor

@aarushlohit is attempting to deploy a commit to the Mayo's projects Team on Vercel.

A member of the Team first needs to authorize it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Unauthenticated click-count inflation via link ID enumeration

1 participant