Add per-IP rate limit to OTP

[pepeladeira]

Summary by CodeRabbit

Bug Fixes

• OTP request rate limiting has been enhanced with a dual-tier protection system. The system now enforces both stricter per-email-and-IP constraints in addition to broader IP-based limits to ensure improved service reliability, better request handling, and enhanced protection during high-traffic scenarios and peak usage periods.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
dub	Ready	Preview	Jun 8, 2026 8:10pm

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 2083f5eb-14c0-4609-9f34-3f43dfeed2d9

📥 Commits

Reviewing files that changed from the base of the PR and between 85966c2 and 7067627.

📒 Files selected for processing (1)

• apps/web/lib/actions/send-otp.ts

---

📝 Walkthrough

Walkthrough

The sendOtpAction function now enforces dual-layer rate limiting on OTP requests. Instead of a single rate limit, the implementation fetches the client IP once and applies two concurrent checks: a 2 requests/minute limit by email+IP pair and a 15 requests/hour limit by IP alone. Both limits must pass; either failure triggers the same error response.

Changes

OTP Rate-limiting Enhancement

Layer / File(s)	Summary
Dual-layer rate limiting in OTP action apps/web/lib/actions/send-otp.ts	sendOtpAction refactored to run two concurrent ratelimit checks in parallel: email+IP restricted to 2/minute and IP restricted to 15/hour. IP is fetched once and reused. Either check failure throws "Too many requests. Please try again later.".

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Poem

🐰 Rate limits, now doubled with care,
One per email, one per IP fair,
Two checks in parallel run,
Protecting OTPs—brute force? No fun! ✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The pull request title accurately describes the main change: adding a per-IP rate limit to the OTP sending functionality, which is exactly what the changeset implements.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch otp-send-ip-ratelimit

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[general-adhoc]

getIP() can silently return 0.0.0.0 when request IP headers are missing. Since this PR adds an IP-only limiter, fallback usage becomes much more important to observe. Could we expose/log the IP source here, so we can monitor how often OTP requests are falling into the shared fallback bucket?

[general-adhoc]

would recommend logging more detailed info when we are rejecting OTP requests

[general-adhoc]

Overall I think this is a great system protection to add (esp. against bots / AI), however would recommend adding a little better logging/observability so we can understand how often we're using FALLBACK_IP_ADDRESS and denying OTP requests.

Also, it would be good to setup some sort of alarming on OTP throttling so we can understand if we are getting attacked vs. many new signups for a new corp client etc. Maybe >10 blocks in 10m to start