Skip to content

Dev to Main Sync#2578

Merged
iamitprakash merged 3 commits intomainfrom
develop
Feb 21, 2026
Merged

Dev to Main Sync#2578
iamitprakash merged 3 commits intomainfrom
develop

Conversation

@AnujChhikara
Copy link
Contributor

@AnujChhikara AnujChhikara commented Feb 21, 2026
edited
Loading

Date: 21 Feb 2026

Developer Name: @vinit717 @AnujChhikara

Issue Ticket Number

PRs going for sync

Description

  • Added the application image upload functionality , fixed application edit bugs and nudge score logic

Documentation Updated?

  • Yes
  • No

Under Feature Flag

  • Yes
  • No

Database Changes

  • Yes
  • No

Breaking Changes

  • Yes
  • No

Development Tested?

  • Yes
  • No

Screenshots

edit application :-

edit-proof.mp4

Image upload -

create-proof.mp4

vinit717 and others added 3 commits February 19, 2026 10:50
@vinit717
Merge pull request #2576 from RealDevSquad/2569-refactor-test-for-gro…
e2adcc3 
…up-idle

fix: test expectations for idle user
@AnujChhikara
feat: enhance application scoring and update validation (#2573)
86c6796 
* feat: enhance application scoring and update validation

- Added score handling in nudgeApplication logic to increment score on nudging.
- Updated application creation to set an initial score of 50.
- Enhanced application update validation to include optional fields: firstName, lastName, college, skills, city, state, country, and role.
- Improved integration tests to verify score updates and application modifications.
- Adjusted unit tests to reflect changes in application scoring logic.

* feat: introduce application scoring system and update application queries

* test: refactor application update test for invalid role handling

* refactor: remove firstName and lastName from application update validation and tests

* refactor: rename 'college' to 'institution' in application validation, service, and tests
@AnujChhikara
feat: implement user picture upload handling for application type (#2564
696cf34 
)
github-advanced-security[bot]
github-advanced-security bot found potential problems Feb 21, 2026
View reviewed changes
routes/users.js
router.post("/picture", authenticate, checkIsVerifiedDiscord, upload.single("profile"), users.postUserPicture);
router.post(
"/picture",
authenticate,

Check failure

Code scanning / CodeQL

Missing rate limiting High

This route handler performs
authorization
Loading
, but is not rate-limited.
This route handler performs
authorization
Loading
, but is not rate-limited.
This route handler performs
authorization
Loading
, but is not rate-limited.

Copilot Autofix

AI 5 days ago

In general, to fix missing rate limiting on an Express route that performs authentication/authorization and potentially expensive work, you should add a rate-limiting middleware (e.g., via express-rate-limit) before the handler. This middleware should be configured to allow a reasonable number of requests per user/IP in a fixed time window, returning HTTP 429 when exceeded. Applying it specifically to the sensitive route avoids impacting unrelated traffic.

For this code, the least intrusive and clearest fix is to introduce an express-rate-limit middleware in routes/users.js and apply it only to the /picture POST route. That keeps existing functionality unchanged except for enforcing a maximum number of profile picture upload attempts per IP (or per whatever key the rate limiter uses). Concretely:

  • Add const rateLimit = require("express-rate-limit"); near the other require statements.
  • Define a const pictureUploadLimiter = rateLimit({...}) with a sensible windowMs and max value (e.g., smallish cap such as 10–20 attempts per 15 minutes, which is generous for profile pictures but mitigates DoS).
  • Insert pictureUploadLimiter into the middleware chain for router.post("/picture", ...), right after authenticate (so only authenticated users are counted, but before actual upload/processing to minimize resource usage on abusive requests).

This addresses all three alert variants, is localized to the shown file, and avoids changing any external behavior other than adding rate limiting.

Suggested changeset 2
routes/users.js

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/routes/users.js b/routes/users.js
--- a/routes/users.js
+++ b/routes/users.js
@@ -16,7 +16,13 @@
 const { userAuthorization } = require("../middlewares/userAuthorization");
 const conditionalMiddleware = require("../middlewares/conditionalMiddleware");
 const skipWhenApplicationType = require("../middlewares/pictureRouteMiddleware");
+const rateLimit = require("express-rate-limit");
 
+const pictureUploadLimiter = rateLimit({
+  windowMs: 15 * 60 * 1000, // 15 minutes
+  max: 20, // limit each IP to 20 picture upload requests per windowMs
+});
+
 router.post("/", authorizeAndAuthenticate([ROLES.SUPERUSER], [Services.CRON_JOB_HANDLER]), users.markUnverified);
 router.post("/update-in-discord", authenticate, authorizeRoles([SUPERUSER]), users.setInDiscordScript);
 router.post("/verify", authenticate, users.verifyUser);
@@ -69,6 +74,7 @@
 router.post(
   "/picture",
   authenticate,
+  pictureUploadLimiter,
   upload.single("profile"),
   skipWhenApplicationType(checkIsVerifiedDiscord),
   users.handleUserPictureUpload
EOF
@@ -16,7 +16,13 @@
const { userAuthorization } = require("../middlewares/userAuthorization");
const conditionalMiddleware = require("../middlewares/conditionalMiddleware");
const skipWhenApplicationType = require("../middlewares/pictureRouteMiddleware");
const rateLimit = require("express-rate-limit");

const pictureUploadLimiter = rateLimit({
windowMs: 15 * 60 * 1000, // 15 minutes
max: 20, // limit each IP to 20 picture upload requests per windowMs
});

router.post("/", authorizeAndAuthenticate([ROLES.SUPERUSER], [Services.CRON_JOB_HANDLER]), users.markUnverified);
router.post("/update-in-discord", authenticate, authorizeRoles([SUPERUSER]), users.setInDiscordScript);
router.post("/verify", authenticate, users.verifyUser);
@@ -69,6 +74,7 @@
router.post(
"/picture",
authenticate,
pictureUploadLimiter,
upload.single("profile"),
skipWhenApplicationType(checkIsVerifiedDiscord),
users.handleUserPictureUpload
package.json
Outside changed files

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/package.json b/package.json
--- a/package.json
+++ b/package.json
@@ -42,7 +42,8 @@
     "passport-github2": "0.1.12",
     "passport-google-oauth20": "^2.0.0",
     "rate-limiter-flexible": "5.0.3",
-    "winston": "3.13.0"
+    "winston": "3.13.0",
+    "express-rate-limit": "^8.2.1"
   },
   "devDependencies": {
     "@types/chai": "4.3.16",
EOF
@@ -42,7 +42,8 @@
"passport-github2": "0.1.12",
"passport-google-oauth20": "^2.0.0",
"rate-limiter-flexible": "5.0.3",
"winston": "3.13.0"
"winston": "3.13.0",
"express-rate-limit": "^8.2.1"
},
"devDependencies": {
"@types/chai": "4.3.16",
This fix introduces these dependencies
Package Version Security advisories
express-rate-limit (npm) 8.2.1 None
Copilot is powered by AI and may make mistakes. Always verify output.
@coderabbitai
Copy link

coderabbitai bot commented Feb 21, 2026

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

  • 🔍 Trigger review
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Post copyable unit tests in a comment
  • Commit unit tests in branch develop

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@AnujChhikara AnujChhikara self-assigned this Feb 21, 2026
@iamitprakash iamitprakash merged commit b04b91f into main Feb 21, 2026
4 of 5 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@iamitprakash iamitprakash iamitprakash approved these changes

Assignees

@AnujChhikara AnujChhikara

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@AnujChhikara @iamitprakash @vinit717