fix(public-api): configure trust proxy for rate limiter

[Gagan-astatine]

🚀 Pull Request Description

Fixes #248

This PR resolves an issue with the rate limiter in the public-api failing or blocking incorrectly when deployed behind a proxy/load balancer.

• Configured Express to trust proxy headers by adding app.set('trust proxy', 1);.
• Removed the strict validate block from express-rate-limit configuration that was explicitly rejecting proxy-related headers.
• Minor code formatting/spacing improvements.

🛠️ Type of Change

• 🐛 Bug fix (non-breaking change which fixes an issue)
• ✨ New feature (non-breaking change which adds functionality)
• 💥 Breaking change (fix or feature that would cause existing functionality to not work as expected)
• 📝 Documentation update
• 🎨 UI/UX improvement (Frontend only)
• ⚙️ Refactor / Chore

🧪 Testing & Validation

Backend Verification:

• I have run npm test in the backend/ directory and all tests passed.
• I have verified the API endpoints using Postman/Thunder Client.
• New unit tests have been added (if applicable).

Frontend Verification:

• I have run npm run lint in the frontend/ directory.
• Verified the UI changes on different screen sizes (Responsive).
• Checked for any console errors in the browser dev tools.

📸 Screenshots / Recordings (Optional)

✅ Checklist

• My code follows the code style of this project.
• I have performed a self-review of my code.
• I have commented my code, particularly in hard-to-understand areas.
• My changes generate no new warnings or errors.
• I have updated the documentation (README/Docs) accordingly.

Built with ❤️ for urBackend.

Summary by CodeRabbit

• Style

  • Reformatted imports and configuration object spacing in API initialization.
  • Adjusted whitespace in rate limiter middleware logging handler.

• Chores

  • Simplified rate limiter configuration by removing validation override settings.
  • Code cleanup and consistent formatting across middleware files.

[coderabbitai]

📝 Walkthrough

Walkthrough

The PR removes the rate limiter's problematic validate settings that suppressed warnings without fixing proxy trust issues, addressing a bug where all cloud-deployed clients share a single rate-limit bucket. It also applies consistent code formatting across imports, configuration objects, and middleware structures in both the public API app setup and rate-limiting middleware.

Changes

Rate Limiter Proxy Trust Fix

Layer / File(s)	Summary
Rate limiter validate settings removal apps/public-api/src/middlewares/api_usage.js	The rate limiter configuration removes validate.xForwardedForHeader: false and validate.trustProxy: false settings that suppressed warnings without enabling proper X-Forwarded-For header extraction.
Code formatting harmonization apps/public-api/src/app.js, apps/public-api/src/middlewares/api_usage.js	Consistent spacing and formatting applied to import statements (validateEnv, queue/worker destructuring), configuration object fields (capture options), the "Not Found" JSON response, and middleware logic boundaries.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Poem

A hop through formatters clean and bright,
The rate limiter's trust set right,
No more shared buckets, one per guest—
Each client now gets their own rate-limit nest! 🐰

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Linked Issues check	❓ Inconclusive	The PR addresses issue #248 by removing validate.trustProxy: false from the rate limiter config, aligning with the objective to remove proxy configuration that suppressed warnings without fixing the root cause.	Verify that app.set('trust proxy', 1) was actually added to apps/public-api/src/app.js as required by issue #248; the raw summary only shows reformatting without confirming this critical fix.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The PR title accurately describes the main fix: configuring trust proxy for the rate limiter in the public-api.
Out of Scope Changes check	✅ Passed	All changes appear directly related to fixing the rate limiter trust proxy issue: removing problematic validate configuration and reformatting imports/handlers in scope files.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@apps/public-api/src/app.js`:
- Around line 118-121: The Not Found handler currently sends a 200 response;
update the middleware passed to app.use (the anonymous function that reads
X-Kiroo-Replay-ID) to set the HTTP status to 404 before sending JSON (e.g., call
res.status(404) or res.statusCode = 404) so unknown routes return a proper 404
Not Found response while still including the replayId in the response body.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: ad6d9a2b-883a-4630-8d67-0ca1e7fde825

📥 Commits

Reviewing files that changed from the base of the PR and between 23c590b and 78d25fe.

⛔ Files ignored due to path filters (1)

• package-lock.json is excluded by !**/package-lock.json

📒 Files selected for processing (2)

• apps/public-api/src/app.js
• apps/public-api/src/middlewares/api_usage.js

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Return 404 in the Not Found handler.

This handler currently responds with 200 OK, which breaks HTTP semantics and client error handling for unknown routes.

Suggested fix

 app.use((req, res) => {
     const id = res.get("X-Kiroo-Replay-ID");
-    res.json({ error: "Not Found", replayId: id })
+    res.status(404).json({ error: "Not Found", replayId: id })
 })

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	app.use((req, res) => {
	const id = res.get("X-Kiroo-Replay-ID");
	res.json({error: "Not Found", replayId: id})
	res.json({ error: "Not Found", replayId: id })
	})
	app.use((req, res) => {
	const id = res.get("X-Kiroo-Replay-ID");
	res.status(404).json({ error: "Not Found", replayId: id })
	})

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@apps/public-api/src/app.js` around lines 118 - 121, The Not Found handler
currently sends a 200 response; update the middleware passed to app.use (the
anonymous function that reads X-Kiroo-Replay-ID) to set the HTTP status to 404
before sending JSON (e.g., call res.status(404) or res.statusCode = 404) so
unknown routes return a proper 404 Not Found response while still including the
replayId in the response body.

[yash-pouranik]

@Gagan-astatine
please fix the changes suggested by coderabbitai