[PR #5746] [MERGED] chore: apply ThrottlerBehindProxyGuard across controllers #5331

New issue

Closed

opened 2026-03-17 02:47:27 +03:00 by kerem · 0 comments

kerem commented

2026-03-17 02:47:27 +03:00

Owner

📋 Pull Request Information

Original PR: https://github.com/hoppscotch/hoppscotch/pull/5746
Author: @mirarifhasan
Created: 1/5/2026
Status: ✅ Merged
Merged: 1/5/2026
Merged by: @mirarifhasan

Base: patch ← Head: fix/rate-limit-on-health-route

📝 Commits (1)

711cd6c feat: apply ThrottlerBehindProxyGuard to controllers

📊 Changes

4 files changed (+20 additions, -3 deletions)

View changed files

📝 packages/hoppscotch-backend/src/app.controller.ts (+3 -1)
📝 packages/hoppscotch-backend/src/health/health.controller.ts (+3 -1)
📝 packages/hoppscotch-backend/src/infra-config/onboarding.controller.ts (+11 -1)
📝 packages/hoppscotch-backend/src/published-docs/published-docs.controller.ts (+3 -0)

📄 Description

Closes BE-700

What's changed

This PR addresses missing rate-limit coverage in a few backend endpoints to ensure consistent protection across the API surface.

Added rate-limiting to health check APIs.
Applied rate-limiting to additional controllers that were previously missed.

Notes to reviewers

No additional notes.

Summary by cubic

Applied ThrottlerBehindProxyGuard across ping, health, onboarding (v1), and published-docs (v1) controllers to enforce proxy-aware rate limiting and fix missing coverage on the health route. This addresses BE-700 and ensures consistent protection on public endpoints.

Bug Fixes
- Health and ping routes are now rate-limited to prevent abuse and excessive polling.
- Guard added at controller level so all child routes inherit the limit.

^{Written for commit 711cd6c601. Summary will update on new commits.}

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/hoppscotch/hoppscotch/pull/5746 **Author:** [@mirarifhasan](https://github.com/mirarifhasan) **Created:** 1/5/2026 **Status:** ✅ Merged **Merged:** 1/5/2026 **Merged by:** [@mirarifhasan](https://github.com/mirarifhasan) **Base:** `patch` ← **Head:** `fix/rate-limit-on-health-route` --- ### 📝 Commits (1) - [`711cd6c`](https://github.com/hoppscotch/hoppscotch/commit/711cd6c601486810c1bdcf29b765952aaebda83e) feat: apply ThrottlerBehindProxyGuard to controllers ### 📊 Changes **4 files changed** (+20 additions, -3 deletions) <details> <summary>View changed files</summary> 📝 `packages/hoppscotch-backend/src/app.controller.ts` (+3 -1) 📝 `packages/hoppscotch-backend/src/health/health.controller.ts` (+3 -1) 📝 `packages/hoppscotch-backend/src/infra-config/onboarding.controller.ts` (+11 -1) 📝 `packages/hoppscotch-backend/src/published-docs/published-docs.controller.ts` (+3 -0) </details> ### 📄 Description    Closes BE-700  ### What's changed  This PR addresses missing rate-limit coverage in a few backend endpoints to ensure consistent protection across the API surface. 1. Added rate-limiting to health check APIs. 2. Applied rate-limiting to additional controllers that were previously missed.  ### Notes to reviewers  No additional notes.  --- ## Summary by cubic Applied ThrottlerBehindProxyGuard across ping, health, onboarding (v1), and published-docs (v1) controllers to enforce proxy-aware rate limiting and fix missing coverage on the health route. This addresses BE-700 and ensures consistent protection on public endpoints. - **Bug Fixes** - Health and ping routes are now rate-limited to prevent abuse and excessive polling. - Guard added at controller level so all child routes inherit the limit. <sup>Written for commit 711cd6c601486810c1bdcf29b765952aaebda83e. Summary will update on new commits.</sup>  --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>