From 6af02f6b75d9e31808e9e5c81af84185ce4ece75 Mon Sep 17 00:00:00 2001
From: Hugh Brown <hughdbrown@yahoo.com>
Date: Wed, 4 Mar 2026 13:13:55 -0700
Subject: [PATCH] fix: align in-memory rate limiter to count blocked attempts
 like Redis

Always append the timestamp before checking the count so that sustained
spam extends the window, matching the Redis backend's zadd-before-zcard
semantics.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 backend/app/core/rate_limit.py | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/backend/app/core/rate_limit.py b/backend/app/core/rate_limit.py
index ad019e37..7c46f200 100644
--- a/backend/app/core/rate_limit.py
+++ b/backend/app/core/rate_limit.py
@@ -69,10 +69,8 @@ class InMemoryRateLimiter(RateLimiter):
             # Prune expired entries from the front (timestamps are monotonic)
             while timestamps and timestamps[0] <= cutoff:
                 timestamps.popleft()
-            if len(timestamps) >= self._max_requests:
-                return False
             timestamps.append(now)
-            return True
+            return len(timestamps) <= self._max_requests
 
 
 class RedisRateLimiter(RateLimiter):