Harden rate limit by using server-trusted IP address

Update rate limiting logic to use the server's IP address (extracted from request headers or socket) instead of the client-provided visitorId to prevent spoofing. Replit-Commit-Author: Agent Replit-Commit-Session-Id: 418bf6f8-212b-4bb0-a7a5-8231a061da4e Replit-Commit-Checkpoint-Type: full_checkpoint Replit-Commit-Event-Id: 892ae0fb-898b-4f34-949e-7a240560fe8e Replit-Commit-Screenshot-Url: https://storage.googleapis.com/screenshot-production-us-central1/9f85e954-647c-46a5-90a7-396e495a805a/418bf6f8-212b-4bb0-a7a5-8231a061da4e/Q83Uqvu Replit-Helium-Checkpoint-Created: true
2026-03-19 02:56:36 +00:00
parent 71dbbd3f37
commit ad63b01223
1 changed files with 4 additions and 3 deletions
--- a/artifacts/api-server/src/routes/events.ts
+++ b/artifacts/api-server/src/routes/events.ts
@@ -297,9 +297,10 @@ export function attachWebSocketServer(server: Server): void {
          // Broadcast visitor message to all watchers
          broadcastToAll(wss, { type: "chat", agentId: "visitor", text });

-          // Rate-limit Timmy's AI replies per visitor
-          const visId = String(msg.visitorId ?? ip);
-          if (!checkChatRateLimit(visId)) {
+          // Rate-limit Timmy's AI replies — key on server-trusted IP, not
+          // client-provided visitorId (which is trivially spoofable).
+          const ipStr = Array.isArray(ip) ? (ip[0] ?? "unknown") : String(ip).split(",")[0]!.trim();
+          if (!checkChatRateLimit(ipStr)) {
            send(socket, {
              type: "chat",
              agentId: "timmy",