From 7f5273e8038e17b1fa06ef0e3bc44e4ff836b327 Mon Sep 17 00:00:00 2001
From: vicentsmith470-web
 <244629634+vicentsmith470-web@users.noreply.github.com>
Date: Sun, 31 May 2026 23:29:41 -0600
Subject: [PATCH] fix: count malformed json in api rate limiter

---
 apps/api/src/app.js                  |  2 +-
 apps/api/src/tests/rateLimit.test.js | 44 ++++++++++++++++++++++++++++
 2 files changed, 45 insertions(+), 1 deletion(-)
 create mode 100644 apps/api/src/tests/rateLimit.test.js

diff --git a/apps/api/src/app.js b/apps/api/src/app.js
index 048b2d0767..abff7027aa 100644
--- a/apps/api/src/app.js
+++ b/apps/api/src/app.js
@@ -20,8 +20,8 @@ export function createApp() {
 
   app.use(helmet());
   app.use(cors());
-  app.use(express.json());
   app.use(apiLimiter);
+  app.use(express.json());
 
   app.get("/health", (req, res) => {
     res.status(200).json({ ok: true, service: "api" });
diff --git a/apps/api/src/tests/rateLimit.test.js b/apps/api/src/tests/rateLimit.test.js
new file mode 100644
index 0000000000..0157420031
--- /dev/null
+++ b/apps/api/src/tests/rateLimit.test.js
@@ -0,0 +1,44 @@
+import test from "node:test";
+import assert from "node:assert/strict";
+import { createApp } from "../app.js";
+
+function listen(app) {
+  const server = app.listen(0);
+
+  return new Promise((resolve, reject) => {
+    server.once("listening", () => resolve(server));
+    server.once("error", reject);
+  });
+}
+
+function close(server) {
+  return new Promise((resolve, reject) => {
+    server.close((error) => (error ? reject(error) : resolve()));
+  });
+}
+
+test("malformed JSON requests are counted by the global API limiter", async () => {
+  const app = createApp();
+  const server = await listen(app);
+  const originalConsoleError = console.error;
+
+  try {
+    console.error = () => {};
+
+    const { port } = server.address();
+    let response;
+
+    for (let index = 0; index < 201; index += 1) {
+      response = await fetch(`http://127.0.0.1:${port}/api/jobs`, {
+        method: "POST",
+        headers: { "content-type": "application/json" },
+        body: "{"
+      });
+    }
+
+    assert.equal(response.status, 429);
+  } finally {
+    console.error = originalConsoleError;
+    await close(server);
+  }
+});