fix(backend): improve reliability of rate limiting, leaderboards, and PB updates (@chinmaydwivedi)

- Migrate bad auth rate limiter from in-memory to Redis-backed store with
  memory fallback, fixing per-instance bypass in multi-instance deployments
- Replace full document fetch with $count aggregation for friends leaderboard
  count, avoiding loading all entries into Node memory
- Add 10-minute TTL to leaderboard count cache to prevent stale data and
  unbounded memory growth
- Merge two separate updateOne calls in checkIfPb into a single atomic
  operation to prevent inconsistent personalBests/lbPersonalBests state
- Remove stale hourOffset migration code in updateStreak
- Remove leftover console.log in addImportantLog that leaked event data
  to stdout

Author: chinmaydwivedi

backend/src/dal/leaderboards.ts

@@ -94,7 +94,8 @@ export async function get(
   }
 }
 
-const cachedCounts = new Map<string, number>();
+const CACHE_TTL_MS = 10 * 60 * 1000;
+const cachedCounts = new Map<string, { count: number; expiresAt: number }>();
 
 export async function getCount(
   mode: string,
@@ -103,27 +104,33 @@ export async function getCount(
   uid?: string,
 ): Promise<number> {
   const key = `${language}_${mode}_${mode2}`;
-  if (uid === undefined && cachedCounts.has(key)) {
-    return cachedCounts.get(key) as number;
+  const cached = cachedCounts.get(key);
+  if (
+    uid === undefined &&
+    cached !== undefined &&
+    cached.expiresAt > Date.now()
+  ) {
+    return cached.count;
   } else {
     if (uid === undefined) {
       const count = await getCollection({
         language,
         mode,
         mode2,
       }).estimatedDocumentCount();
-      cachedCounts.set(key, count);
+      cachedCounts.set(key, { count, expiresAt: Date.now() + CACHE_TTL_MS });
       return count;
     } else {
-      return (
-        await aggregateWithAcceptedConnections(
-          {
-            collectionName: getCollectionName({ language, mode, mode2 }),
-            uid,
-          },
-          [{ $project: { _id: true } }],
-        )
-      ).length;
+      const result = await aggregateWithAcceptedConnections<{
+        total: number;
+      }>(
+        {
+          collectionName: getCollectionName({ language, mode, mode2 }),
+          uid,
+        },
+        [{ $count: "total" }],
+      );
+      return result[0]?.total ?? 0;
     }
   }
 }

backend/src/dal/logs.ts

@@ -56,7 +56,6 @@ export async function addImportantLog(
   message: string | Record<string, unknown>,
   uid = "",
 ): Promise<void> {
-  console.log("log", event, message, uid);
   await insertIntoDb(event, message, uid, true);
 }
 

backend/src/dal/user.ts

@@ -493,17 +493,14 @@ export async function checkIfPb(
 
   if (!pb.isPb) return false;
 
-  await getUsersCollection().updateOne(
-    { uid },
-    { $set: { personalBests: pb.personalBests } },
-  );
-
+  const setFields: Record<string, unknown> = {
+    personalBests: pb.personalBests,
+  };
   if (pb.lbPersonalBests) {
-    await getUsersCollection().updateOne(
-      { uid },
-      { $set: { lbPersonalBests: pb.lbPersonalBests } },
-    );
+    setFields["lbPersonalBests"] = pb.lbPersonalBests;
   }
+
+  await getUsersCollection().updateOne({ uid }, { $set: setFields });
   return true;
 }
 
@@ -1149,11 +1146,6 @@ export async function updateStreak(
 
   streak.lastResultTimestamp = timestamp;
 
-  if (user.streak?.hourOffset === 0) {
-    // todo this needs to be removed after a while
-    delete streak.hourOffset;
-  }
-
   await getUsersCollection().updateOne({ uid }, { $set: { streak } });
 
   return streak.length;

backend/src/middlewares/rate-limit.ts

@@ -1,6 +1,10 @@
 import MonkeyError from "../utils/error";
 import type { Response, NextFunction, Request } from "express";
-import { RateLimiterMemory } from "rate-limiter-flexible";
+import {
+  RateLimiterMemory,
+  RateLimiterRedis,
+  type RateLimiterAbstract,
+} from "rate-limiter-flexible";
 import {
   rateLimit,
   RateLimitRequestHandler,
@@ -21,6 +25,7 @@ import {
   TsRestRequestWithContext,
 } from "../api/types";
 import { AppRoute, AppRouter } from "@ts-rest/core";
+import * as RedisClient from "../init/redis";
 
 export const REQUEST_MULTIPLIER = isDevEnvironment() ? 100 : 1;
 
@@ -149,10 +154,31 @@ export const rootRateLimiter = rateLimit({
 });
 
 // Bad Authentication Rate Limiter
-const badAuthRateLimiter = new RateLimiterMemory({
-  points: 30 * REQUEST_MULTIPLIER,
-  duration: 60 * 60, //one hour seconds
-});
+// Uses Redis when available for consistency across instances, falls back to memory
+function createBadAuthRateLimiter(): RateLimiterAbstract {
+  const opts = {
+    points: 30 * REQUEST_MULTIPLIER,
+    duration: 60 * 60,
+  };
+
+  const redisConnection = RedisClient.getConnection();
+  if (redisConnection !== null) {
+    return new RateLimiterRedis({
+      ...opts,
+      storeClient: redisConnection,
+      keyPrefix: "bad_auth",
+      insuranceLimiter: new RateLimiterMemory(opts),
+    });
+  }
+
+  return new RateLimiterMemory(opts);
+}
+
+let badAuthRateLimiter: RateLimiterAbstract = createBadAuthRateLimiter();
+
+export function reinitBadAuthRateLimiter(): void {
+  badAuthRateLimiter = createBadAuthRateLimiter();
+}
 
 export async function badAuthRateLimiterHandler(
   req: ExpressRequestWithContext,

backend/src/server.ts

@@ -19,6 +19,7 @@ import { createIndicies as leaderboardDbSetup } from "./dal/leaderboards";
 import { createIndicies as blocklistDbSetup } from "./dal/blocklist";
 import { createIndicies as connectionsDbSetup } from "./dal/connections";
 import { getErrorMessage } from "./utils/error";
+import { reinitBadAuthRateLimiter } from "./middlewares/rate-limit";
 
 async function bootServer(port: number): Promise<Server> {
   try {
@@ -46,6 +47,9 @@ async function bootServer(port: number): Promise<Server> {
       Logger.success("Connected to redis");
       const connection = RedisClient.getConnection();
 
+      Logger.info("Upgrading bad auth rate limiter to Redis...");
+      reinitBadAuthRateLimiter();
+
       Logger.info("Initializing queues...");
       queues.forEach((queue) => {
         queue.init(connection ?? undefined);