fix: align in-memory rate limiter to count blocked attempts like Redis

Always append the timestamp before checking the count so that sustained spam extends the window, matching the Redis backend's zadd-before-zcard semantics. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-04 13:13:55 -07:00
parent 6b55b52a68
commit 6af02f6b75
1 changed files with 1 additions and 3 deletions
--- a/backend/app/core/rate_limit.py
+++ b/backend/app/core/rate_limit.py
@@ -69,10 +69,8 @@ class InMemoryRateLimiter(RateLimiter):
            # Prune expired entries from the front (timestamps are monotonic)
            while timestamps and timestamps[0] <= cutoff:
                timestamps.popleft()
-            if len(timestamps) >= self._max_requests:
-                return False
            timestamps.append(now)
-            return True
+            return len(timestamps) <= self._max_requests


 class RedisRateLimiter(RateLimiter):