Problem Statement
Currently, our Supabase/Prisma architecture relies entirely on application-level logic for authentication and API mutations. We have no rate limiting in place for sensitive routes (e.g., /auth/login, /auth/reset-password, /api/insights), leaving the application vulnerable to brute-force attacks and DDOS.
Motivation
To become a production-grade platform, we must protect our backend from malicious scraping and credential stuffing.
Proposed Solution
Implement a lightweight Redis-based or memory-based rate limiter middleware for Remix actions and loaders.
- Add a utility function
rateLimit(request, limit, windowMs) in app/utils/rate-limit.server.ts.
- Apply this utility to
app/routes/login-page.tsx, app/routes/signup-page.tsx, and app/routes/reset-password.tsx.
Implementation Notes
- Since we are deploying to Vercel, memory-based limiters won't share state across serverless functions. We should investigate using
@upstash/ratelimit if a Redis instance is available, OR implement a simple IP-based rate limiter using Vercel KV.
- If Redis is unavailable, fallback to a basic memory cache and clearly document the limitation.
Dependencies
- None. Can be worked on independently.
Out-of-Scope
- Do not implement rate limiting on frontend UI components. This is strictly backend middleware.
Acceptance Criteria
Testing Requirements
- Add unit tests for the
rateLimit function.
Documentation Updates
- Document the new utility in
CONTRIBUTING.md so future developers know how to rate-limit their new API routes.
Problem Statement
Currently, our Supabase/Prisma architecture relies entirely on application-level logic for authentication and API mutations. We have no rate limiting in place for sensitive routes (e.g.,
/auth/login,/auth/reset-password,/api/insights), leaving the application vulnerable to brute-force attacks and DDOS.Motivation
To become a production-grade platform, we must protect our backend from malicious scraping and credential stuffing.
Proposed Solution
Implement a lightweight Redis-based or memory-based rate limiter middleware for Remix actions and loaders.
rateLimit(request, limit, windowMs)inapp/utils/rate-limit.server.ts.app/routes/login-page.tsx,app/routes/signup-page.tsx, andapp/routes/reset-password.tsx.Implementation Notes
@upstash/ratelimitif a Redis instance is available, OR implement a simple IP-based rate limiter using Vercel KV.Dependencies
Out-of-Scope
Acceptance Criteria
rateLimitutility function is created.429 Too Many Requestsresponse.Testing Requirements
rateLimitfunction.Documentation Updates
CONTRIBUTING.mdso future developers know how to rate-limit their new API routes.