feat: add nudge application functionality#2542
Merged
iamitprakash merged 10 commits intodevelopfrom Jan 17, 2026
Merged
Conversation
- Introduced a new endpoint to nudge applications, allowing users to send reminders. - Implemented logic to prevent nudging if the last nudge was less than 24 hours ago, with appropriate error messages. - Updated application constants to include new API response and error messages related to the nudge feature. - Enhanced the applications controller to handle nudge requests and update application nudge counts accordingly.
|
Important Review skippedAuto incremental reviews are disabled on this repository. Please check the settings in the CodeRabbit UI or the You can disable this status message by setting the WalkthroughThis PR implements a nudge application feature by adding success and error message constants, creating a nudgeApplication controller that enforces a 24-hour cooldown between nudges, and exposing it via a new authenticated PATCH route. Changes
Estimated code review effort🎯 2 (Simple) | ⏱️ ~10 minutes Possibly related issues
Possibly related PRs
Suggested reviewers
Poem
🚥 Pre-merge checks | ✅ 3✅ Passed checks (3 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| authorizeRoles([SUPERUSER]), | ||
| applications.addIsNewFieldMigration | ||
| ); | ||
| router.patch("/:applicationId/nudge", authenticate, applications.nudgeApplication); |
Check failure
Code scanning / CodeQL
Missing rate limiting High
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 4 months ago
In general, to fix missing rate limiting on an authenticated/authorized route, you introduce a rate-limiting middleware (e.g., using express-rate-limit) and apply it to that route (or to the router) so that each client can only call it a bounded number of times per time window.
For this specific file, the least intrusive fix that preserves existing behavior is:
- Import
express-rate-limitat the top. - Define a limiter (e.g., allowing a small number of “nudge” calls per IP per time window, such as 10 per minute or similar).
- Insert that limiter in the middleware chain for the
router.patch("/:applicationId/nudge", ...)route, immediately afterauthenticateso that it rate-limits per client IP while still ensuring only authenticated users access the endpoint. - Do not change other routes or application logic.
Concretely:
- In
routes/applications.ts, addconst RateLimit = require("express-rate-limit");after the existingrequirestatements. - Add a constant
nudgeRateLimiter = RateLimit({ ... })near the router definition. - Modify line 27 to include
nudgeRateLimiterin the middleware list:router.patch("/:applicationId/nudge", authenticate, nudgeRateLimiter, applications.nudgeApplication);.
This addresses all alert variants, since they all refer to missing rate limiting on that same route.
Suggested changeset
2
routes/applications.ts
| @@ -5,9 +5,15 @@ | ||
| const applications = require("../controllers/applications"); | ||
| const { authorizeOwnOrSuperUser } = require("../middlewares/authorizeOwnOrSuperUser"); | ||
| const applicationValidator = require("../middlewares/validators/application"); | ||
| const RateLimit = require("express-rate-limit"); | ||
|
|
||
| const router = express.Router(); | ||
|
|
||
| const nudgeRateLimiter = RateLimit({ | ||
| windowMs: 60 * 1000, // 1 minute | ||
| max: 10, | ||
| }); | ||
|
|
||
| router.get( | ||
| "/", | ||
| authenticate, | ||
| @@ -24,6 +27,11 @@ | ||
| applicationValidator.validateApplicationUpdateData, | ||
| applications.updateApplication | ||
| ); | ||
| router.patch("/:applicationId/nudge", authenticate, applications.nudgeApplication); | ||
| router.patch( | ||
| "/:applicationId/nudge", | ||
| authenticate, | ||
| nudgeRateLimiter, | ||
| applications.nudgeApplication | ||
| ); | ||
|
|
||
| module.exports = router; |
package.json
Outside changed files
| @@ -42,7 +42,8 @@ | ||
| "passport-github2": "0.1.12", | ||
| "passport-google-oauth20": "^2.0.0", | ||
| "rate-limiter-flexible": "5.0.3", | ||
| "winston": "3.13.0" | ||
| "winston": "3.13.0", | ||
| "express-rate-limit": "^8.2.1" | ||
| }, | ||
| "devDependencies": { | ||
| "@types/chai": "4.3.16", |
This fix introduces these dependencies
| Package | Version | Security advisories |
| express-rate-limit (npm) | 8.2.1 | None |
Copilot is powered by AI and may make mistakes. Always verify output.
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 3
🤖 Fix all issues with AI agents
In `@controllers/applications.ts`:
- Around line 163-205: The nudgeApplication handler currently reads the
application, checks cooldown, and then updates, which risks race conditions and
lacks ownership checks; update nudgeApplication to verify req.userData.id owns
the application (compare against application.ownerId or similar) and return 403
if not, and move the cooldown check + increment into an atomic model operation
(e.g., add a new ApplicationModel.atomicNudge or modify updateApplication to
accept a conditional where lastNudgeAt < now - 24h) so the DB performs the
check-and-update in one transaction; keep references to
ApplicationModel.getApplicationById and ApplicationModel.updateApplication (or
replace with ApplicationModel.atomicNudge) and ensure the handler uses the
model-level method and only returns the new nudgeCount/lastNudgeAt from the
atomic response.
- Around line 172-174: Move the computation of twentyFourHoursInMilliseconds
(currently set via convertDaysToMilliseconds(1)) inside the if (lastNudgeAt)
block so it is only calculated when application.lastNudgeAt is truthy; keep
currentTime and lastNudgeAt declarations where they are, then reference
twentyFourHoursInMilliseconds only inside the block that checks if (lastNudgeAt)
to avoid unnecessary work.
In `@routes/applications.ts`:
- Line 33: The nudgeApplication controller currently allows any authenticated
user to nudge any application; after you load the application in
applications.nudgeApplication, add an ownership check that compares the
authenticated user id (e.g., req.user.id or req.userId depending on your auth
middleware) to the application's owner id (e.g., application.userId or
application.ownerId) and return a 403/Unauthorized response if they don’t match
unless the user is a superuser; specifically insert this check immediately after
fetching the application in nudgeApplication and before performing the nudge
action, using the same error response format your API uses.
📜 Review details
Configuration used: Organization UI
Review profile: ASSERTIVE
Plan: Pro
📒 Files selected for processing (3)
constants/application.tscontrollers/applications.tsroutes/applications.ts
🧰 Additional context used
🧠 Learnings (1)
📚 Learning: 2026-01-13T05:25:47.159Z
Learnt from: AnujChhikara
Repo: RealDevSquad/website-backend PR: 2534
File: services/applicationService.ts:79-85
Timestamp: 2026-01-13T05:25:47.159Z
Learning: In the application creation flow (services/applicationService.ts), users with applications created before January 1, 2026 are intentionally allowed to create new applications regardless of whether their old application status was ACCEPTED, REJECTED, or PENDING. Only applications created after the cutoff date should prevent duplicate submissions by throwing a Conflict error.
Applied to files:
controllers/applications.ts
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)
- GitHub Check: build (22.10.0)
- GitHub Check: Analyze (javascript)
🔇 Additional comments (3)
constants/application.ts (1)
20-20: LGTM!The new constants are clear, descriptive, and follow the existing naming conventions.
Also applies to: 25-25
controllers/applications.ts (2)
6-6: LGTM!The new imports are correctly added and used by the
nudgeApplicationhandler.Also applies to: 10-10
213-213: LGTM!The new handler is correctly exported.
✏️ Tip: You can disable this entire section by setting review_details to false in your review settings.
MayankBansal12
previously approved these changes
Jan 15, 2026
yesyash
requested changes
Jan 16, 2026
- Enhanced the nudgeApplication function to streamline error handling and improve readability. - Updated API response and error messages for nudging applications to provide clearer feedback. - Removed redundant checks and utilized a transaction for better performance and consistency in the nudge process.
yesyash
requested changes
Jan 17, 2026
yesyash
previously approved these changes
Jan 17, 2026
) * test: add comprehensive tests for nudge application functionality * chore: add logger utility to discordService and logService for improved logging * test: enhance nudge application tests to cover pending status validation * refactor: remove duplicate logger import and unused config in discordService * nit: remove unused logger import * refactor: update nudge application logic and messages - Changed the success message for nudging an application to "Nudge sent successfully". - Updated error messages for nudging to be more user-friendly. - Refactored the nudgeApplication function to streamline logic and improve readability. - Adjusted integration and unit tests to reflect the updated messages and logic. * refactor: nudge model try and catch block
iamitprakash
approved these changes
Jan 17, 2026
iamitprakash
added a commit
that referenced
this pull request
Jan 17, 2026
* feat: add nudge application functionality - Introduced a new endpoint to nudge applications, allowing users to send reminders. - Implemented logic to prevent nudging if the last nudge was less than 24 hours ago, with appropriate error messages. - Updated application constants to include new API response and error messages related to the nudge feature. - Enhanced the applications controller to handle nudge requests and update application nudge counts accordingly. * refactor: enhance nudge application logic * feat: add error handling for nudge application when status is not pending * fix: correct last nudge timestamp logic in nudgeApplication function * refactor: improve nudge application logic and update response messages - Enhanced the nudgeApplication function to streamline error handling and improve readability. - Updated API response and error messages for nudging applications to provide clearer feedback. - Removed redundant checks and utilized a transaction for better performance and consistency in the nudge process. * refactor: add NUDGE_APPLICATION_STATUS constants * test: add comprehensive tests for nudge application functionality (#2543) * test: add comprehensive tests for nudge application functionality * chore: add logger utility to discordService and logService for improved logging * test: enhance nudge application tests to cover pending status validation * refactor: remove duplicate logger import and unused config in discordService * nit: remove unused logger import * refactor: update nudge application logic and messages - Changed the success message for nudging an application to "Nudge sent successfully". - Updated error messages for nudging to be more user-friendly. - Refactored the nudgeApplication function to streamline logic and improve readability. - Adjusted integration and unit tests to reflect the updated messages and logic. * refactor: nudge model try and catch block --------- Co-authored-by: Amit Prakash <34869115+iamitprakash@users.noreply.github.com>
10 tasks
10 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
5 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Date: 15 Jan 2026
Developer Name: @AnujChhikara
Tech Doc
User Onboarding flow
Issue Ticket Number
Description
Documentation Updated?
Under Feature Flag
Database Changes
Breaking Changes
Development Tested?
Screenshots
Screenshot 1
Screen.Recording.2026-01-15.at.1.00.53.AM.mov
Test Coverage
Screenshot 1
Additional Notes