🔒 [security] Replace insecure randomness in rate limiter member generation

[Dexploarer]

🎯 What: The vulnerability fixed

The rate limiter was using Math.random().toString(36).slice(2, 10) to generate unique members for Redis sorted sets. Math.random() is not cryptographically secure and its output can be predictable.

⚠️ Risk: The potential impact if left unfixed

If an attacker can predict the output of Math.random(), they might be able to craft requests that collide with existing members in the Redis sorted set (especially if multiple requests occur within the same millisecond). This could lead to an inaccurate rate limit count, potentially allowing an attacker to bypass rate limits or cause legitimate users to be throttled incorrectly.

🛡️ Solution: How the fix addresses the vulnerability

Replaced Math.random() with crypto.randomUUID() from the built-in Node.js crypto module. randomUUID() provides cryptographically strong random values, making the member IDs unpredictable and significantly reducing the risk of collisions.

---

PR created automatically by Jules for task 8119899122187808228 started by @Dexploarer

Summary by CodeRabbit

• Chores
  • Improved rate limiter reliability through enhanced internal identifier generation.

[google-labs-jules]

👋 Jules, reporting for duty! I'm here to lend a hand with this pull request.

When you start a review, I'll add a 👀 emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down.

I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job!

For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with @jules. You can find this option in the Pull Request section of your global Jules UI settings. You can always switch back!

New to Jules? Learn more at jules.google/docs.

---

For security, I will only act on instructions from the user who triggered this task.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
gitshipt	Error		May 1, 2026 3:31pm

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 759945c2-71ca-404f-811d-7f3058e8228f

📥 Commits

Reviewing files that changed from the base of the PR and between 53f93cf and 80e82fe.

📒 Files selected for processing (1)

• apps/web/lib/rate-limit.ts

---

📝 Walkthrough

Walkthrough

The rate limiter in apps/web/lib/rate-limit.ts now uses randomUUID() from node:crypto instead of Math.random() to generate unique identifiers for tracking individual requests in Redis sorted sets. The sliding-window rate-limiting logic remains functionally unchanged.

Changes

Cohort / File(s)	Summary
Rate Limiter UUID Generation apps/web/lib/rate-limit.ts	Replaced Math.random()-based string generation with randomUUID() from node:crypto for creating unique member identifiers in Redis sorted-set operations. Import added, single zadd call updated.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Poem

🐰 A hop, a skip, a UUID's glow,
Where random once danced, now secure streams flow,
Crypto's gift replaces the dice,
Rate limits held steady and nice! ✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately identifies the main security change: replacing insecure Math.random() with cryptographically secure randomUUID() in the rate limiter.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch security-insecure-randomness-fix-8119899122187808228

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Review rate limit: 0/1 reviews remaining, refill in 60 minutes.}

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[gemini-code-assist]

Code Review

This pull request updates the rate-limiting logic to use randomUUID() from node:crypto instead of Math.random() for generating unique member identifiers in Redis. A review comment suggests further optimizing memory usage by removing the redundant timestamp prefix from the member string, as the UUID provides sufficient uniqueness and the timestamp is already stored as the score in the sorted set.

[gemini-code-assist]

The ${now}- prefix in the member string is redundant when using randomUUID(). Since randomUUID() provides a cryptographically strong, globally unique identifier, it is sufficient on its own to prevent collisions within the Redis sorted set. Removing the prefix reduces the size of each entry in Redis, which can lead to memory savings in high-traffic scenarios without affecting the correctness of the rate limiter, as the timestamp is already stored as the score in the sorted set.

Suggested change

	const member = `${now}-${randomUUID()}`;
	const member = randomUUID();