fix: exclude /api/status from rate limiter, fix Docker healthcheck URL

ttbombadil · ttbombadil · commit ad6a8dafc284 · 2026-04-14T15:05:36.000+02:00
Root cause: /api/status polling consumed all 100 rate-limit tokens in
&lt;60 seconds. Subsequent /api/compile calls returned 429, showing
"Compilation Failed" to the user. Only a Docker restart reset the
counters.

Changes:
- Add /api/status to rate limiter skip list (lightweight polling endpoint)
- Increase production max from 100 to 300 requests per 15 minutes
- Fix Docker healthcheck: /health -&gt; /api/health (correct endpoint)
- Fix healthcheck tool: wget -&gt; curl (available in node:slim image)
- Add rate-limit skip list test (2 test cases)
diff --git a/docker-compose.yml b/docker-compose.yml
@@ -33,7 +33,7 @@ services:
       - ${PWD}/temp:${PWD}/temp
       - ./storage:/app/storage
     healthcheck:
-      test: ["CMD", "wget", "-qO-", "http://localhost:3000/health"]
+      test: ["CMD", "curl", "-sf", "http://localhost:3000/api/health"]
       interval: 30s
       timeout: 10s
       retries: 3
diff --git a/server/index.ts b/server/index.ts
@@ -117,14 +117,15 @@ const isTestMode =
   process.env.NODE_ENV === "test" || process.env.DISABLE_RATE_LIMIT === "true";
 const apiLimiter = rateLimit({
   windowMs: 15 * 60 * 1000, // 15 Minuten
-  max: isTestMode ? 10000 : 100, // 10000 in Test-Modus, 100 in Produktion
+  max: isTestMode ? 10000 : 300, // 10000 in Test-Modus, 300 in Produktion
   message: { error: "Too many requests, please try again later." },
   standardHeaders: true,
   legacyHeaders: false,
   skip: (req) =>
     isTestMode ||
     req.originalUrl === "/api/examples" ||
-    req.originalUrl === "/api/health", // Skip for lightweight endpoints
+    req.originalUrl === "/api/status" ||
+    req.originalUrl === "/api/health", // Skip for lightweight/polling endpoints
 });
 
 // Apply rate limiting to API routes
diff --git a/tests/server/routes/rate-limit-skip.test.ts b/tests/server/routes/rate-limit-skip.test.ts
@@ -0,0 +1,151 @@
+/**
+ * Verifies /api/status is excluded from the global rate limiter.
+ *
+ * Regression: in production mode (max=300/15 min), rapid /api/status polling
+ * consumed all tokens and blocked /api/compile → "Compilation Failed".
+ */
+import { describe, it, expect, afterAll } from "vitest";
+import express from "express";
+import rateLimit from "express-rate-limit";
+import http from "node:http";
+
+// ── helpers ──────────────────────────────────────────────────────────────
+
+function listen(app: express.Express): Promise<{ baseUrl: string; server: http.Server }> {
+  return new Promise((resolve) => {
+    const server = app.listen(0, () => {
+      const addr = server.address() as { port: number };
+      resolve({ baseUrl: `http://127.0.0.1:${addr.port}`, server });
+    });
+  });
+}
+
+async function httpGet(baseUrl: string, path: string): Promise<{ status: number; body: string }> {
+  return new Promise((resolve, reject) => {
+    const url = new URL(path, baseUrl);
+    http.get(url, (res) => {
+      let data = "";
+      res.on("data", (chunk: string) => { data += chunk; });
+      res.on("end", () => resolve({ status: res.statusCode ?? 0, body: data }));
+    }).on("error", reject);
+  });
+}
+
+// ── tests ────────────────────────────────────────────────────────────────
+
+describe("Rate limiter skip list", () => {
+  let baseUrl: string;
+  let server: http.Server;
+
+  afterAll(() =>
+    new Promise<void>((resolve, reject) => {
+      server?.close((err) => (err ? reject(err) : resolve()));
+    }),
+  );
+
+  it("/api/status is excluded — 150 status polls do not block /api/compile", async () => {
+    // Build a minimal Express app with the SAME rate-limiter config as index.ts
+    const app = express();
+
+    const apiLimiter = rateLimit({
+      windowMs: 15 * 60 * 1000,
+      max: 10, // very low to prove status is skipped
+      message: { error: "Too many requests, please try again later." },
+      standardHeaders: true,
+      legacyHeaders: false,
+      skip: (req) =>
+        req.originalUrl === "/api/examples" ||
+        req.originalUrl === "/api/status" ||
+        req.originalUrl === "/api/health",
+    });
+
+    app.use("/api/", apiLimiter);
+    app.use(express.json());
+
+    app.get("/api/status", (_req, res) => res.json({ status: "ok" }));
+    app.get("/api/health", (_req, res) => res.json({ status: "ok" }));
+    app.post("/api/compile", (_req, res) => res.json({ success: true }));
+
+    ({ baseUrl, server } = await listen(app));
+
+    // Hammer /api/status 150 times — must NOT exhaust tokens
+    for (let i = 0; i < 150; i++) {
+      const { status } = await httpGet(baseUrl, "/api/status");
+      expect(status).toBe(200);
+    }
+
+    // /api/compile must still succeed
+    const compileRes = await new Promise<{ status: number; body: string }>((resolve, reject) => {
+      const url = new URL("/api/compile", baseUrl);
+      const req = http.request(
+        { hostname: url.hostname, port: url.port, path: url.pathname, method: "POST", headers: { "Content-Type": "application/json" } },
+        (res) => {
+          let data = "";
+          res.on("data", (chunk: string) => { data += chunk; });
+          res.on("end", () => resolve({ status: res.statusCode ?? 0, body: data }));
+        },
+      );
+      req.on("error", reject);
+      req.write(JSON.stringify({ code: "void setup(){}" }));
+      req.end();
+    });
+
+    expect(compileRes.status).toBe(200);
+    expect(JSON.parse(compileRes.body).success).toBe(true);
+  });
+
+  it("/api/compile IS rate-limited after exceeding max", async () => {
+    const app = express();
+
+    const apiLimiter = rateLimit({
+      windowMs: 15 * 60 * 1000,
+      max: 3, // low limit to trigger quickly
+      message: { error: "Too many requests, please try again later." },
+      standardHeaders: true,
+      legacyHeaders: false,
+      skip: (req) =>
+        req.originalUrl === "/api/examples" ||
+        req.originalUrl === "/api/status" ||
+        req.originalUrl === "/api/health",
+    });
+
+    app.use("/api/", apiLimiter);
+    app.use(express.json());
+    app.post("/api/compile", (_req, res) => res.json({ success: true }));
+
+    const { baseUrl: url2, server: srv2 } = await listen(app);
+
+    // Consume all 3 tokens
+    for (let i = 0; i < 3; i++) {
+      const resp = await new Promise<{ status: number }>((resolve, reject) => {
+        const u = new URL("/api/compile", url2);
+        const req = http.request(
+          { hostname: u.hostname, port: u.port, path: u.pathname, method: "POST", headers: { "Content-Type": "application/json" } },
+          (res) => { res.resume(); res.on("end", () => resolve({ status: res.statusCode ?? 0 })); },
+        );
+        req.on("error", reject);
+        req.write(JSON.stringify({ code: "x" }));
+        req.end();
+      });
+      expect(resp.status).toBe(200);
+    }
+
+    // 4th compile must be rate-limited (429)
+    const resp = await new Promise<{ status: number }>((resolve, reject) => {
+      const u = new URL("/api/compile", url2);
+      const req = http.request(
+        { hostname: u.hostname, port: u.port, path: u.pathname, method: "POST", headers: { "Content-Type": "application/json" } },
+        (res) => { res.resume(); res.on("end", () => resolve({ status: res.statusCode ?? 0 })); },
+      );
+      req.on("error", reject);
+      req.write(JSON.stringify({ code: "x" }));
+      req.end();
+    });
+
+    expect(resp.status).toBe(429);
+
+    await new Promise<void>((resolve, reject) => {
+      srv2.close((err) => (err ? reject(err) : resolve()));
+    });
+  });
+});
