fix: stop hitting additional rate limit windows once a client is already limited#686
Merged
cameri merged 2 commits intoJul 18, 2026
Conversation
…ady limited isRateLimited() in EventMessageHandler and WebSocketAdapter iterated every configured rate limit window and called rateLimiter.hit() even after an earlier window had already tripped. Each hit() call executes a Lua script against Redis, so a client already being rate-limited caused N redundant Redis writes per message instead of one. Both methods now return as soon as the first exceeded window is found. Signed-off-by: Priyanshubhartistm <bhartipriyanshustm@gmail.com>
🦋 Changeset detectedLatest commit: b59461a The changes in this PR will be included in the next version bump. This PR includes changesets to release 1 package
Not sure what this means? Click here to learn what changesets are. Click here if you're a maintainer who wants to add another changeset to this PR |
Collaborator
There was a problem hiding this comment.
Pull request overview
This PR fixes an inefficiency in the message/event rate limiting paths by short-circuiting isRateLimited() once any configured rate limit window reports the client as limited, avoiding redundant Redis writes.
Changes:
- Update
EventMessageHandler.isRateLimited()toreturn trueimmediately on the first exceeded event rate limit window. - Update
WebSocketAdapter.isRateLimited()toreturn trueimmediately on the first exceeded message rate limit window. - Add unit tests ensuring no additional
hit()calls occur after the first exceeded window is detected.
Reviewed changes
Copilot reviewed 5 out of 5 changed files in this pull request and generated no comments.
Show a summary per file
| File | Description |
|---|---|
src/handlers/event-message-handler.ts |
Returns early on the first exceeded event rate limit window to avoid extra Redis writes. |
src/adapters/web-socket-adapter.ts |
Returns early on the first exceeded message rate limit window to avoid extra Redis writes. |
test/unit/handlers/event-message-handler.spec.ts |
Adds a unit test asserting only the first hit() is performed once limited. |
test/unit/adapters/web-socket-adapter.spec.ts |
Adds a unit test asserting only the first hit() is performed once limited via onClientMessage. |
.changeset/rate-limiter-continues-after-hit.md |
Adds a patch changeset documenting the behavioral/efficiency fix. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
cameri
approved these changes
Jul 17, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
isRateLimited()inEventMessageHandler(eventetAdapter(message rate limiting) looped through every configured rate limit window and calledrateLimiter.hit()for each one, even after an eop had already reported the client as rate-limited. Both methods nowreturn` as soon as thefirst exceeded window is found, instead of continRedis for)
every remaining window.
Related Issue
Fixes #685
Motivation and Context
Both
hit()implementations (SlidingWindowRateLexecute a Lua script against Redis on every call (a ZADD/HSET write). Once a client is already known to be rate-limited, continuing to hit everypure waste: a burst of messages/events from an already-limited client multiplies Redis writes by the number of configured windows, for no behavioral beturnstrue`/rejects the message either way).How Has This Been Tested?
test/unit/handlers/event-erting that once the first configured rate limit window reports limited, no furtherhit()` calls are made for subsequent windows.test/unit/adapters/web-socket-adapter.spec.tsdriving the same scenario through the public `onClientMh.pnpm run test:unit) — all 1395 tests pass, confirming no existing test relied on thevior.pnpm lint,pnpm check:deps,pnpm run build,pnpm run build:check,pnpm run verify:cli:build, `pnpm run test:cli — all pass.pnpm run docker:test:integration(99 scenarios): 97 passed, including theRate Limiterfeaturepnpm check:formatreports pre-existing formatut the error count is identical with and without this change, and none of the flagged lines are inthe diff — confirmed against the unmodified bas
Screenshots (if appropriate):
N/A — backend logic change only.
Types of changes
Checklist: