fix: prevent rate limiter quota leak on limit exceeded (#5895)

[vipul674]

Fixes #5895

Problem

When using Upstash Redis/KV, the rate limiter used INCR to increment the counter before checking if the limit was exceeded. This meant rejected requests still consumed quota, effectively lowering the rate limit below the configured value.

For example, with limit=10, if a user makes 10 requests (counter=10), the 11th request would:

1. INCR → counter becomes 11
2. Check: 11 > 10 → reject

But now the counter is 11, meaning the user is permanently one request over the limit until the window resets.

Fix

Check the current count first using GET + TTL, and only INCR if the count is below the limit. Rejected requests no longer consume quota.

[vercel]

@vipul674 is attempting to deploy a commit to the jhasourav07's projects Team on Vercel.

A member of the Team first needs to authorize it.

[vipul674]

@JhaSourav07 Ready for review.

[github-actions]

📦 Next.js Bundle Size Report (Gzipped Sizes)

✨ No significant bundle size changes detected.

📊 Summary of Totals

Category	PR Size	Base Size	Difference
Total JS	3628.47 KB	3628.47 KB	0 B
Total CSS	284.92 KB	284.92 KB	0 B

[vipul674]

@JhaSourav07 Review Reminder

[Aamod-Dev]

Difficulty: intermediate – Changes rate-limit.ts to GET+check before INCR, preventing quota leak when limit exceeded (39 additions, 12 deletions).

Quality: clean – Fixes INCR-on-rejection bug.

Type: bug + security – Prevents rate limiter bypass issue #5895.

Important security fix!

[github-actions]

🎉 Congratulations @vipul674! Your PR has been successfully merged. 🚀

Thank you for contributing to CommitPulse. Your work helps us build a better tool for the community.

⚠️ Important for GSSoC Contributors:
You are strictly advised to join our Discord Server as it is mandatory for all GSSoC participants. All important announcements, point claims, and community discussions happen there.

Keep building! 💻✨