fix: prevent rate limiter bypass via Lua atomic script

[YashIIT0909]

Description

This PR resolves a critical rate-limiter bypass vulnerability in the SlidingWindowRateLimiter by migrating the sliding-window operations from Node.js Promise.all logic into an atomic Lua script executed natively on the Redis client.

It accomplishes three crucial fixes:

1. Eliminates a severe TOCTOU (Time-of-Check to Time-of-Use) race condition caused by interleaved reads and writes during heavy concurrent connection bursts.
2. Dynamically prevents Redis Key Collisions by implementing an entirely self-contained incremental counter loop while redis.call('ZSCORE', key, member), entirely avoiding data loss for exact-millisecond bursts without relying on heavy external UUID libraries for uniqueness.
3. Patches a dormant expiration calculation bug by switching from the seconds-based EXPIRE command to the precisely accurate milliseconds-based PEXPIRE command.

Related Issue

Fixes #467

Motivation and Context

Previously, when hundreds of WebSocket connections or REST payloads arrived in the exact same millisecond, Redis answered 0 to the initial grouped read checks before any writing actually completed due to Node's asynchronous event loop. This allowed massive concurrent bursts to completely bypass the configured metrics. Furthermore, because concurrent writes were uniquely formatted strictly as timestamp:step, they overwrote each other as exact-duplicate members in the ZSET, effectively erasing accurate metrics from the cache. Utilizing an atomic eval wrapper enforces exact, bottlenecked throughput serialization in Redis, guaranteeing the metrics are impenetrable to race-condition exploitation.

How Has This Been Tested?

1. Unit Testing: Updated and successfully passed all existing Mocha unit tests for the SlidingWindowRateLimiter and its eval implementations via ICacheAdapter stubs (npm run test:unit).
2. Security Load Testing: Deployed a strict 5 / minute environment threshold locally via Docker Compose.
3. Fired 1,000 concurrent payloads inside the exact same millisecond using a WebSocket parallel Promise.all() PoC script.
4. Result: Verified that the server perfectly filters and drops 995 requests returning ["NOTICE", "rate limited"], while safely accepting exactly 5 requests, proving maximum robustness against intentional bypass bursts.

Screenshots (if appropriate):

The screenshot is of a checking script that is being ran against a limit of 5.

Types of changes

• Non-functional change (docs, style, minor refactor)
• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to change)

Checklist:

• My code follows the code style of this project.
• My change requires a change to the documentation.
• I have updated the documentation accordingly.
• I have read the CONTRIBUTING document.
• I have added tests to cover my code changes.
• All new and existing tests passed.

[changeset-bot]

🦋 Changeset detected

Latest commit: 3fe35ef

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 1 package

Name	Type
nostream	Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[coveralls]

coverage: 65.143% (+2.4%) from 62.753% — YashIIT0909:fix/rate-limiter into cameri:main

[Copilot]

Pull request overview

This PR hardens the SlidingWindowRateLimiter against concurrent-burst bypasses by moving its Redis sliding-window logic into an atomic Lua script (and switching expiry to millisecond precision), addressing the race/collision behavior described in #467.

Changes:

• Replaces multi-call Redis logic in SlidingWindowRateLimiter.hit() with a single Redis-evaluated Lua script (atomic ZSET maintenance + unique member generation).
• Adds a raw Lua eval helper to the Redis cache adapter and updates the cache adapter typing/tests to stub eval.
• Adds a changeset documenting the patch release.

Reviewed changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated 5 comments.

Show a summary per file

File	Description
src/utils/sliding-window-rate-limiter.ts	Migrates sliding-window operations into an atomic Lua script and uses PEXPIRE for ms-accurate expiry.
src/adapters/redis-adapter.ts	Adds evalRaw alongside existing SHA-cached eval implementation.
src/@types/adapters.ts	Updates ICacheAdapter typing context around eval (formatting/spacing).
test/unit/utils/sliding-window-rate-limiter.spec.ts	Updates unit tests to stub cache.eval and assert boolean outcomes.
.changeset/metal-snails-prove.md	Patch changeset for the rate-limiter bypass fix.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

These tests now only assert the boolean mapping of the Redis result. Given the security impact of this change, it would be better to also assert that cache.eval is invoked with the expected keys/args (period/step/rate) and add a case where the stub resolves to a string (e.g. '1') to ensure the production code handles Redis return types robustly.

[Copilot]

Pull request overview

Copilot reviewed 5 out of 5 changed files in this pull request and generated 3 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[cameri]

@YashIIT0909 The lua script isn't actually being tested, right? How do we know for sure this change is working as intended?