fix: add input validation and rate limiting to /api/compare endpoint

[vipul674]

Description

Fixes a security vulnerability in /api/compare where raw, unvalidated user1 and user2 query parameters were passed directly to getFullDashboardData() with no input validation and no IP-based rate limiting.

Every other API route (/api/streak, /api/github, /api/stats, /api/og) validates usernames via Zod schema and is covered by the middleware rate limiter. /api/compare was the sole exception — each request triggers 8 unauthenticated GitHub API calls (4 per user) with zero protection.

Changes

1. lib/validations.ts — Added compareParamsSchema using the existing GITHUB_USERNAME_REGEX, with a .refine() to reject self-comparison
2. app/api/compare/route.ts — Replaced manual null checks with Zod safeParse(), matching the pattern used by all other API routes
3. middleware.ts — Added /api/compare/:path* to the rate-limiter matcher

Difficulty & Label Request

• Assessed difficulty: level:beginner
• Maintainer: please apply the level:beginner label if this assessment is appropriate, so this contribution is scored correctly under GSSoC 2026 guidelines.
• Maintainer: please also apply the gssoc:approved label after review so this PR earns its base GSSoC points. Thank you!

Type

• Bug fix

Testing & Verification

• Code logic verified — Zod schema reuses existing GITHUB_USERNAME_REGEX
• Rate limiter matcher now includes /api/compare
• Pattern consistent with /api/github, /api/streak, /api/stats routes

Note on Copilot Review Comments

• Comments Install and configure Vercel Web Analytics #1 and 🎨 Feature Request: Add New Color Themes #2 suggest z.string({ error: ... }) is invalid — this is incorrect for Zod v4 (^4.4.3). The error option is valid and matches the existing pattern at lib/validations.ts:281 (githubParamsSchema).
• Comment Create a THEMES.md Gallery #3 suggests normalizing error.flatten() — this matches the exact pattern used by every other API route (/api/github/route.ts:31, /api/streak/route.ts, /api/stats/route.ts). Consistency with the existing codebase takes precedence.

GSSoC 2026 Compliance & Transparency

• AI Assistance Disclosure: AI assistance was used to develop this solution. All generated logic has been audited, verified, and locally tested by me to meet project standards.
• Closes fix: /api/compare endpoint lacks input validation and rate limiting #2046

[vercel]

@vipul674 is attempting to deploy a commit to the jhasourav07's projects Team on Vercel.

A member of the Team first needs to authorize it.

[Copilot]

Pull request overview

Note

Copilot was unable to run its full agentic suite in this review.

Adds support for a new /api/compare route and centralizes query parameter validation for the compare endpoint.

Changes:

• Adds /api/compare/:path* to the middleware matcher config.
• Introduces compareParamsSchema (Zod) for validating user1/user2 GitHub usernames (including “not the same user” constraint).
• Updates app/api/compare/route.ts to use schema-based validation and return structured validation errors.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 3 comments.

File	Description
middleware.ts	Adds the compare API path to middleware matching config.
lib/validations.ts	Adds a Zod schema for compare endpoint query parameters and constraints.
app/api/compare/route.ts	Switches to schema-based validation and returns validation details on bad requests.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Aamod007]

@vipul674 look for conflcts

[vipul674]

@Aamod007 No conflicts, the PR is mergeable. All code checks (Format, Lint, Typecheck, Test, Production Build) are passing. The remaining CI failures are Vercel authorization (needs maintainer action) and the GitHub API rate limits.

[Aamod007]

work on these

[vipul674]

@Aamod007 As you have requested, i have ensured that the checks pass, now only the vercel requires your authorization. Please review and let me know for any changes.

[Aamod007]

@vipul674 work on pipeline fix

[github-actions]

⚠️ Hey @vipul674, this PR has merge conflicts with the main branch.

Please pull the latest changes and resolve the conflicts so we can review it!

git fetch origin
git rebase origin/main
# resolve any conflicts, then:
git push --force-with-lease

Once resolved, the needs-rebase label will be removed automatically on the next check. 🙌

[github-actions]

⚠️ Hey @vipul674, this PR has merge conflicts with the main branch.

Please pull the latest changes and resolve the conflicts so we can review it!

git fetch origin
git rebase origin/main
# resolve any conflicts, then:
git push --force-with-lease

Once resolved, the needs-rebase label will be removed automatically on the next check. 🙌

[github-actions]

⚠️ Hey @vipul674, this PR has merge conflicts with the main branch.

Please pull the latest changes and resolve the conflicts so we can review it!

git fetch origin
git rebase origin/main
# resolve any conflicts, then:
git push --force-with-lease

Once resolved, the needs-rebase label will be removed automatically on the next check. 🙌

[github-actions]

⚠️ Hey @vipul674, this PR has merge conflicts with the main branch.

Please pull the latest changes and resolve the conflicts so we can review it!

git fetch origin
git rebase origin/main
# resolve any conflicts, then:
git push --force-with-lease

Once resolved, the needs-rebase label will be removed automatically on the next check. 🙌

[github-actions]

⚠️ Hey @vipul674, this PR has merge conflicts with the main branch.

Please pull the latest changes and resolve the conflicts so we can review it!

git fetch origin
git rebase origin/main
# resolve any conflicts, then:
git push --force-with-lease

Once resolved, the needs-rebase label will be removed automatically on the next check. 🙌

[github-actions]

⚠️ Hey @vipul674, this PR has merge conflicts with the main branch.

Please pull the latest changes and resolve the conflicts so we can review it!

git fetch origin
git rebase origin/main
# resolve any conflicts, then:
git push --force-with-lease

Once resolved, the needs-rebase label will be removed automatically on the next check. 🙌

[github-actions]

⚠️ Hey @vipul674, this PR has merge conflicts with the main branch.

Please pull the latest changes and resolve the conflicts so we can review it!

git fetch origin
git rebase origin/main
# resolve any conflicts, then:
git push --force-with-lease

Once resolved, the needs-rebase label will be removed automatically on the next check. 🙌

[github-actions]

⚠️ Hey @vipul674, this PR has merge conflicts with the main branch.

Please pull the latest changes and resolve the conflicts so we can review it!

git fetch origin
git rebase origin/main
# resolve any conflicts, then:
git push --force-with-lease

Once resolved, the needs-rebase label will be removed automatically on the next check. 🙌

[github-actions]

⚠️ Hey @vipul674, this PR has merge conflicts with the main branch.

Please pull the latest changes and resolve the conflicts so we can review it!

git fetch origin
git rebase origin/main
# resolve any conflicts, then:
git push --force-with-lease

Once resolved, the needs-rebase label will be removed automatically on the next check. 🙌

[github-actions]

⚠️ Hey @vipul674, this PR has merge conflicts with the main branch.

Please pull the latest changes and resolve the conflicts so we can review it!

git fetch origin
git rebase origin/main
# resolve any conflicts, then:
git push --force-with-lease

Once resolved, the needs-rebase label will be removed automatically on the next check. 🙌

[github-actions]

⚠️ Hey @vipul674, this PR has merge conflicts with the main branch.

Please pull the latest changes and resolve the conflicts so we can review it!

git fetch origin
git rebase origin/main
# resolve any conflicts, then:
git push --force-with-lease

Once resolved, the needs-rebase label will be removed automatically on the next check. 🙌

[github-actions]

⚠️ Hey @vipul674, this PR has merge conflicts with the main branch.

Please pull the latest changes and resolve the conflicts so we can review it!

git fetch origin
git rebase origin/main
# resolve any conflicts, then:
git push --force-with-lease

Once resolved, the needs-rebase label will be removed automatically on the next check. 🙌

[github-actions]

⚠️ Hey @vipul674, this PR has merge conflicts with the main branch.

Please pull the latest changes and resolve the conflicts so we can review it!

git fetch origin
git rebase origin/main
# resolve any conflicts, then:
git push --force-with-lease

Once resolved, the needs-rebase label will be removed automatically on the next check. 🙌

[github-actions]

⚠️ Hey @vipul674, this PR has merge conflicts with the main branch.

Please pull the latest changes and resolve the conflicts so we can review it!

git fetch origin
git rebase origin/main
# resolve any conflicts, then:
git push --force-with-lease

Once resolved, the needs-rebase label will be removed automatically on the next check. 🙌

[github-actions]

⚠️ Hey @vipul674, this PR has merge conflicts with the main branch.

Please pull the latest changes and resolve the conflicts so we can review it!

git fetch origin
git rebase origin/main
# resolve any conflicts, then:
git push --force-with-lease

Once resolved, the needs-rebase label will be removed automatically on the next check. 🙌

[github-actions]

⚠️ Hey @vipul674, this PR has merge conflicts with the main branch.

Please pull the latest changes and resolve the conflicts so we can review it!

git fetch origin
git rebase origin/main
# resolve any conflicts, then:
git push --force-with-lease

Once resolved, the needs-rebase label will be removed automatically on the next check. 🙌

[github-actions]

⚠️ Hey @vipul674, this PR has merge conflicts with the main branch.

Please pull the latest changes and resolve the conflicts so we can review it!

git fetch origin
git rebase origin/main
# resolve any conflicts, then:
git push --force-with-lease

Once resolved, the needs-rebase label will be removed automatically on the next check. 🙌

[github-actions]

⚠️ Hey @vipul674, this PR has merge conflicts with the main branch.

Please pull the latest changes and resolve the conflicts so we can review it!

git fetch origin
git rebase origin/main
# resolve any conflicts, then:
git push --force-with-lease

Once resolved, the needs-rebase label will be removed automatically on the next check. 🙌

[github-actions]

⚠️ Hey @vipul674, this PR has merge conflicts with the main branch.

Please pull the latest changes and resolve the conflicts so we can review it!

git fetch origin
git rebase origin/main
# resolve any conflicts, then:
git push --force-with-lease

Once resolved, the needs-rebase label will be removed automatically on the next check. 🙌

[github-actions]

⚠️ Hey @vipul674, this PR has merge conflicts with the main branch.

Please pull the latest changes and resolve the conflicts so we can review it!

git fetch origin
git rebase origin/main
# resolve any conflicts, then:
git push --force-with-lease

Once resolved, the needs-rebase label will be removed automatically on the next check. 🙌

[github-actions]

⚠️ Hey @vipul674, this PR has merge conflicts with the main branch.

Please pull the latest changes and resolve the conflicts so we can review it!

git fetch origin
git rebase origin/main
# resolve any conflicts, then:
git push --force-with-lease

Once resolved, the needs-rebase label will be removed automatically on the next check. 🙌

[github-actions]

⚠️ Hey @vipul674, this PR has merge conflicts with the main branch.

Please pull the latest changes and resolve the conflicts so we can review it!

git fetch origin
git rebase origin/main
# resolve any conflicts, then:
git push --force-with-lease

Once resolved, the needs-rebase label will be removed automatically on the next check. 🙌

[github-actions]

⚠️ Hey @vipul674, this PR has merge conflicts with the main branch.

Please pull the latest changes and resolve the conflicts so we can review it!

git fetch origin
git rebase origin/main
# resolve any conflicts, then:
git push --force-with-lease

Once resolved, the needs-rebase label will be removed automatically on the next check. 🙌

[github-actions]

⚠️ Hey @vipul674, this PR has merge conflicts with the main branch.

Please pull the latest changes and resolve the conflicts so we can review it!

git fetch origin
git rebase origin/main
# resolve any conflicts, then:
git push --force-with-lease

Once resolved, the needs-rebase label will be removed automatically on the next check. 🙌

[github-actions]

⚠️ Hey @vipul674, this PR has merge conflicts with the main branch.

Please pull the latest changes and resolve the conflicts so we can review it!

git fetch origin
git rebase origin/main
# resolve any conflicts, then:
git push --force-with-lease

Once resolved, the needs-rebase label will be removed automatically on the next check. 🙌

[github-actions]

⚠️ Hey @vipul674, this PR has merge conflicts with the main branch.

Please pull the latest changes and resolve the conflicts so we can review it!

git fetch origin
git rebase origin/main
# resolve any conflicts, then:
git push --force-with-lease

Once resolved, the needs-rebase label will be removed automatically on the next check. 🙌

[github-actions]

⚠️ Hey @vipul674, this PR has merge conflicts with the main branch.

Please pull the latest changes and resolve the conflicts so we can review it!

git fetch origin
git rebase origin/main
# resolve any conflicts, then:
git push --force-with-lease

Once resolved, the needs-rebase label will be removed automatically on the next check. 🙌

[github-actions]

🚨 Hey @vipul674, the CI Pipeline is failing on this PR and it has been marked as status:blocked.

Please fix the issues before this can be reviewed. Here's how:

1. Run checks locally before pushing:

npm run format:check   # Check Prettier formatting
npm run lint           # Run ESLint
npm run typecheck      # TypeScript type check
npm run test           # Run unit tests (Vitest)
npm run build          # Verify production build passes

2. Auto-fix common issues:

npm run format         # Auto-fix formatting with Prettier
npm run lint -- --fix  # Auto-fix lint errors where possible

3. Check the full failure log here:
👉 View CI Run

Once you push a fix and the CI passes, the status:blocked label will be removed automatically. 💪

[github-actions]

🚨 Hey @vipul674, the CI Pipeline is failing on this PR and it has been marked as status:blocked.

Please fix the issues before this can be reviewed. Here's how:

1. Run checks locally before pushing:

npm run format:check   # Check Prettier formatting
npm run lint           # Run ESLint
npm run typecheck      # TypeScript type check
npm run test           # Run unit tests (Vitest)
npm run build          # Verify production build passes

2. Auto-fix common issues:

npm run format         # Auto-fix formatting with Prettier
npm run lint -- --fix  # Auto-fix lint errors where possible

3. Check the full failure log here:
👉 View CI Run

Once you push a fix and the CI passes, the status:blocked label will be removed automatically. 💪

[vipul674]

@Aamod007 Now the checks pass, Only the Vercel deployment authorization is blocking, please review and let me know for any other change

[vipul674]

@JhaSourav07 The changes have been approved by @Aamod007 . Please review

[github-actions]

🎉 Congratulations @vipul674! Your PR has been successfully merged. 🚀

Thank you for contributing to CommitPulse. Your work helps us build a better tool for the community.

⚠️ Important for GSSoC Contributors:
You are strictly advised to join our Discord Server as it is mandatory for all GSSoC participants. All important announcements, point claims, and community discussions happen there.

Keep building! 💻✨