fix(rate-limit): address PR review — drop success field from 429 body, fall back to per-IP when JWT auth lacks userId

waleedlatif1 · waleedlatif1 · commit 2f3657cd373a · 2026-05-13T19:02:53.000-07:00
diff --git a/apps/sim/app/api/tools/a2a/cancel-task/route.ts b/apps/sim/app/api/tools/a2a/cancel-task/route.ts
@@ -5,7 +5,7 @@ import { createA2AClient } from '@/lib/a2a/utils'
 import { a2aCancelTaskContract } from '@/lib/api/contracts/tools/a2a'
 import { getValidationErrorMessage, parseRequest } from '@/lib/api/server'
 import { checkSessionOrInternalAuth } from '@/lib/auth/hybrid'
-import { enforceUserRateLimit } from '@/lib/core/rate-limiter'
+import { enforceUserOrIpRateLimit } from '@/lib/core/rate-limiter'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { withRouteHandler } from '@/lib/core/utils/with-route-handler'
 
@@ -30,7 +30,11 @@ export const POST = withRouteHandler(async (request: NextRequest) => {
       )
     }
 
-    const rateLimited = await enforceUserRateLimit('a2a-cancel-task', authResult.userId!)
+    const rateLimited = await enforceUserOrIpRateLimit(
+      'a2a-cancel-task',
+      authResult.userId,
+      request
+    )
     if (rateLimited) return rateLimited
 
     const parsed = await parseRequest(
diff --git a/apps/sim/app/api/tools/a2a/delete-push-notification/route.ts b/apps/sim/app/api/tools/a2a/delete-push-notification/route.ts
@@ -4,7 +4,7 @@ import { createA2AClient } from '@/lib/a2a/utils'
 import { a2aDeletePushNotificationContract } from '@/lib/api/contracts/tools/a2a'
 import { getValidationErrorMessage, parseRequest } from '@/lib/api/server'
 import { checkSessionOrInternalAuth } from '@/lib/auth/hybrid'
-import { enforceUserRateLimit } from '@/lib/core/rate-limiter'
+import { enforceUserOrIpRateLimit } from '@/lib/core/rate-limiter'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { withRouteHandler } from '@/lib/core/utils/with-route-handler'
 
@@ -31,9 +31,10 @@ export const POST = withRouteHandler(async (request: NextRequest) => {
       )
     }
 
-    const rateLimited = await enforceUserRateLimit(
+    const rateLimited = await enforceUserOrIpRateLimit(
       'a2a-delete-push-notification',
-      authResult.userId!
+      authResult.userId,
+      request
     )
     if (rateLimited) return rateLimited
 
diff --git a/apps/sim/app/api/tools/a2a/get-agent-card/route.ts b/apps/sim/app/api/tools/a2a/get-agent-card/route.ts
@@ -4,7 +4,7 @@ import { createA2AClient } from '@/lib/a2a/utils'
 import { a2aGetAgentCardContract } from '@/lib/api/contracts/tools/a2a'
 import { getValidationErrorMessage, parseRequest } from '@/lib/api/server'
 import { checkSessionOrInternalAuth } from '@/lib/auth/hybrid'
-import { enforceUserRateLimit } from '@/lib/core/rate-limiter'
+import { enforceUserOrIpRateLimit } from '@/lib/core/rate-limiter'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { withRouteHandler } from '@/lib/core/utils/with-route-handler'
 
@@ -29,7 +29,11 @@ export const POST = withRouteHandler(async (request: NextRequest) => {
       )
     }
 
-    const rateLimited = await enforceUserRateLimit('a2a-get-agent-card', authResult.userId!)
+    const rateLimited = await enforceUserOrIpRateLimit(
+      'a2a-get-agent-card',
+      authResult.userId,
+      request
+    )
     if (rateLimited) return rateLimited
 
     logger.info(
diff --git a/apps/sim/app/api/tools/a2a/get-push-notification/route.ts b/apps/sim/app/api/tools/a2a/get-push-notification/route.ts
@@ -4,7 +4,7 @@ import { createA2AClient } from '@/lib/a2a/utils'
 import { a2aGetPushNotificationContract } from '@/lib/api/contracts/tools/a2a'
 import { getValidationErrorMessage, parseRequest } from '@/lib/api/server'
 import { checkSessionOrInternalAuth } from '@/lib/auth/hybrid'
-import { enforceUserRateLimit } from '@/lib/core/rate-limiter'
+import { enforceUserOrIpRateLimit } from '@/lib/core/rate-limiter'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { withRouteHandler } from '@/lib/core/utils/with-route-handler'
 
@@ -31,7 +31,11 @@ export const POST = withRouteHandler(async (request: NextRequest) => {
       )
     }
 
-    const rateLimited = await enforceUserRateLimit('a2a-get-push-notification', authResult.userId!)
+    const rateLimited = await enforceUserOrIpRateLimit(
+      'a2a-get-push-notification',
+      authResult.userId,
+      request
+    )
     if (rateLimited) return rateLimited
 
     logger.info(
diff --git a/apps/sim/app/api/tools/a2a/get-task/route.ts b/apps/sim/app/api/tools/a2a/get-task/route.ts
@@ -5,7 +5,7 @@ import { createA2AClient } from '@/lib/a2a/utils'
 import { a2aGetTaskContract } from '@/lib/api/contracts/tools/a2a'
 import { getValidationErrorMessage, parseRequest } from '@/lib/api/server'
 import { checkSessionOrInternalAuth } from '@/lib/auth/hybrid'
-import { enforceUserRateLimit } from '@/lib/core/rate-limiter'
+import { enforceUserOrIpRateLimit } from '@/lib/core/rate-limiter'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { withRouteHandler } from '@/lib/core/utils/with-route-handler'
 
@@ -30,7 +30,7 @@ export const POST = withRouteHandler(async (request: NextRequest) => {
       )
     }
 
-    const rateLimited = await enforceUserRateLimit('a2a-get-task', authResult.userId!)
+    const rateLimited = await enforceUserOrIpRateLimit('a2a-get-task', authResult.userId, request)
     if (rateLimited) return rateLimited
 
     logger.info(`[${requestId}] Authenticated A2A get task request via ${authResult.authType}`, {
diff --git a/apps/sim/app/api/tools/a2a/resubscribe/route.ts b/apps/sim/app/api/tools/a2a/resubscribe/route.ts
@@ -12,7 +12,7 @@ import { createA2AClient, extractTextContent, isTerminalState } from '@/lib/a2a/
 import { a2aResubscribeContract } from '@/lib/api/contracts/tools/a2a'
 import { getValidationErrorMessage, parseRequest } from '@/lib/api/server'
 import { checkSessionOrInternalAuth } from '@/lib/auth/hybrid'
-import { enforceUserRateLimit } from '@/lib/core/rate-limiter'
+import { enforceUserOrIpRateLimit } from '@/lib/core/rate-limiter'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { withRouteHandler } from '@/lib/core/utils/with-route-handler'
 
@@ -37,7 +37,11 @@ export const POST = withRouteHandler(async (request: NextRequest) => {
       )
     }
 
-    const rateLimited = await enforceUserRateLimit('a2a-resubscribe', authResult.userId!)
+    const rateLimited = await enforceUserOrIpRateLimit(
+      'a2a-resubscribe',
+      authResult.userId,
+      request
+    )
     if (rateLimited) return rateLimited
 
     const parsed = await parseRequest(
diff --git a/apps/sim/app/api/tools/a2a/send-message/route.ts b/apps/sim/app/api/tools/a2a/send-message/route.ts
@@ -7,7 +7,7 @@ import { createA2AClient, extractTextContent, isTerminalState } from '@/lib/a2a/
 import { a2aSendMessageContract } from '@/lib/api/contracts/tools/a2a'
 import { getValidationErrorMessage, parseRequest } from '@/lib/api/server'
 import { checkSessionOrInternalAuth } from '@/lib/auth/hybrid'
-import { enforceUserRateLimit } from '@/lib/core/rate-limiter'
+import { enforceUserOrIpRateLimit } from '@/lib/core/rate-limiter'
 import { validateUrlWithDNS } from '@/lib/core/security/input-validation.server'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { withRouteHandler } from '@/lib/core/utils/with-route-handler'
@@ -33,7 +33,11 @@ export const POST = withRouteHandler(async (request: NextRequest) => {
       )
     }
 
-    const rateLimited = await enforceUserRateLimit('a2a-send-message', authResult.userId!)
+    const rateLimited = await enforceUserOrIpRateLimit(
+      'a2a-send-message',
+      authResult.userId,
+      request
+    )
     if (rateLimited) return rateLimited
 
     logger.info(
diff --git a/apps/sim/app/api/tools/a2a/set-push-notification/route.ts b/apps/sim/app/api/tools/a2a/set-push-notification/route.ts
@@ -4,7 +4,7 @@ import { createA2AClient } from '@/lib/a2a/utils'
 import { a2aSetPushNotificationContract } from '@/lib/api/contracts/tools/a2a'
 import { getValidationErrorMessage, parseRequest } from '@/lib/api/server'
 import { checkSessionOrInternalAuth } from '@/lib/auth/hybrid'
-import { enforceUserRateLimit } from '@/lib/core/rate-limiter'
+import { enforceUserOrIpRateLimit } from '@/lib/core/rate-limiter'
 import { validateUrlWithDNS } from '@/lib/core/security/input-validation.server'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { withRouteHandler } from '@/lib/core/utils/with-route-handler'
@@ -32,7 +32,11 @@ export const POST = withRouteHandler(async (request: NextRequest) => {
       )
     }
 
-    const rateLimited = await enforceUserRateLimit('a2a-set-push-notification', authResult.userId!)
+    const rateLimited = await enforceUserOrIpRateLimit(
+      'a2a-set-push-notification',
+      authResult.userId,
+      request
+    )
     if (rateLimited) return rateLimited
 
     const parsed = await parseRequest(
diff --git a/apps/sim/lib/core/rate-limiter/index.ts b/apps/sim/lib/core/rate-limiter/index.ts
@@ -12,6 +12,7 @@ export {
   DEFAULT_PUBLIC_IP_ROUTE_LIMIT,
   DEFAULT_USER_ROUTE_LIMIT,
   enforceIpRateLimit,
+  enforceUserOrIpRateLimit,
   enforceUserRateLimit,
 } from './route-helpers'
 export type { TokenBucketConfig } from './storage'
diff --git a/apps/sim/lib/core/rate-limiter/route-helpers.test.ts b/apps/sim/lib/core/rate-limiter/route-helpers.test.ts
@@ -31,7 +31,7 @@ function passThroughClientIp() {
   )
 }
 
-import { enforceIpRateLimit, enforceUserRateLimit } from './route-helpers'
+import { enforceIpRateLimit, enforceUserOrIpRateLimit, enforceUserRateLimit } from './route-helpers'
 
 const consume = mockAdapter.consumeTokens as Mock
 
@@ -157,4 +157,36 @@ describe('route-helpers rate limiting', () => {
       expect(result?.headers.get('Retry-After')).toBe('60')
     })
   })
+
+  describe('enforceUserOrIpRateLimit', () => {
+    beforeEach(() => {
+      passThroughClientIp()
+    })
+
+    it('keys per-user when userId is present', async () => {
+      consume.mockResolvedValueOnce({
+        allowed: true,
+        tokensRemaining: 59,
+        resetAt: new Date(),
+      })
+      const request = createMockRequest('POST', undefined, { 'x-forwarded-for': '203.0.113.7' })
+
+      await enforceUserOrIpRateLimit('a2a-test', 'user-1', request)
+
+      expect(consume).toHaveBeenCalledWith('route:a2a-test:user:user-1', 1, expect.any(Object))
+    })
+
+    it('falls back to per-IP when userId is undefined', async () => {
+      consume.mockResolvedValueOnce({
+        allowed: true,
+        tokensRemaining: 59,
+        resetAt: new Date(),
+      })
+      const request = createMockRequest('POST', undefined, { 'x-forwarded-for': '203.0.113.7' })
+
+      await enforceUserOrIpRateLimit('a2a-test', undefined, request)
+
+      expect(consume).toHaveBeenCalledWith('route:a2a-test:ip:203.0.113.7', 1, expect.any(Object))
+    })
+  })
 })
diff --git a/apps/sim/lib/core/rate-limiter/route-helpers.ts b/apps/sim/lib/core/rate-limiter/route-helpers.ts
@@ -25,7 +25,6 @@ function buildRateLimitResponse(resetAt: Date): NextResponse {
   const retryAfterSec = Math.max(1, Math.ceil((resetAt.getTime() - Date.now()) / 1000))
   return NextResponse.json(
     {
-      success: false,
       error: 'Rate limit exceeded',
       retryAfter: resetAt.getTime(),
     },
@@ -72,3 +71,19 @@ export async function enforceIpRateLimit(
   logger.warn('IP rate limit exceeded', { bucket: bucketName, ip })
   return buildRateLimitResponse(resetAt)
 }
+
+/**
+ * Apply a per-user limit when a userId is present, else fall back to per-IP.
+ * Use for routes whose auth path may legitimately resolve without a userId
+ * (e.g. internal JWT calls with `requireWorkflowId: false`) so missing-userId
+ * traffic is still throttled per-IP rather than sharing one global bucket.
+ */
+export async function enforceUserOrIpRateLimit(
+  bucketName: string,
+  userId: string | undefined,
+  request: NextRequest,
+  config: TokenBucketConfig = DEFAULT_USER_ROUTE_LIMIT
+): Promise<NextResponse | null> {
+  if (userId) return enforceUserRateLimit(bucketName, userId, config)
+  return enforceIpRateLimit(bucketName, request, config)
+}

Original file line number	Diff line number	Diff line change
`@@ -4,7 +4,7 @@ import { createA2AClient } from '@/lib/a2a/utils'`
`4`	`4`	`import { a2aDeletePushNotificationContract } from '@/lib/api/contracts/tools/a2a'`
`5`	`5`	`import { getValidationErrorMessage, parseRequest } from '@/lib/api/server'`
`6`	`6`	`import { checkSessionOrInternalAuth } from '@/lib/auth/hybrid'`
`7`		`-import { enforceUserRateLimit } from '@/lib/core/rate-limiter'`
	`7`	`+import { enforceUserOrIpRateLimit } from '@/lib/core/rate-limiter'`
`8`	`8`	`import { generateRequestId } from '@/lib/core/utils/request'`
`9`	`9`	`import { withRouteHandler } from '@/lib/core/utils/with-route-handler'`
`10`	`10`
`@@ -31,9 +31,10 @@ export const POST = withRouteHandler(async (request: NextRequest) => {`
`31`	`31`	`)`
`32`	`32`	`}`
`33`	`33`
`34`		`- const rateLimited = await enforceUserRateLimit(`
	`34`	`+ const rateLimited = await enforceUserOrIpRateLimit(`
`35`	`35`	`'a2a-delete-push-notification',`
`36`		`- authResult.userId!`
	`36`	`+ authResult.userId,`
	`37`	`+ request`
`37`	`38`	`)`
`38`	`39`	`if (rateLimited) return rateLimited`
`39`	`40`
Original file line number	Diff line number	Diff line change
`@@ -5,7 +5,7 @@ import { createA2AClient } from '@/lib/a2a/utils'`
`5`	`5`	`import { a2aGetTaskContract } from '@/lib/api/contracts/tools/a2a'`
`6`	`6`	`import { getValidationErrorMessage, parseRequest } from '@/lib/api/server'`
`7`	`7`	`import { checkSessionOrInternalAuth } from '@/lib/auth/hybrid'`
`8`		`-import { enforceUserRateLimit } from '@/lib/core/rate-limiter'`
	`8`	`+import { enforceUserOrIpRateLimit } from '@/lib/core/rate-limiter'`
`9`	`9`	`import { generateRequestId } from '@/lib/core/utils/request'`
`10`	`10`	`import { withRouteHandler } from '@/lib/core/utils/with-route-handler'`
`11`	`11`
`@@ -30,7 +30,7 @@ export const POST = withRouteHandler(async (request: NextRequest) => {`
`30`	`30`	`)`
`31`	`31`	`}`
`32`	`32`
`33`		`- const rateLimited = await enforceUserRateLimit('a2a-get-task', authResult.userId!)`
	`33`	`+ const rateLimited = await enforceUserOrIpRateLimit('a2a-get-task', authResult.userId, request)`
`34`	`34`	`if (rateLimited) return rateLimited`
`35`	`35`
`36`	`36`	logger.info(`[${requestId}] Authenticated A2A get task request via ${authResult.authType}`, {