From f826dc2d15d7ec407e23770ccf8279f11473e749 Mon Sep 17 00:00:00 2001
From: Pranav <pranav@chatwoot.com>
Date: Thu, 19 Feb 2026 17:48:06 -0800
Subject: [PATCH] fix: Rate-limit meta endpoint calls to 30/min (#13596)

Meta endpoints are now rate limited to 1 call per every minute. This rate limit is done at the user level not the browser.
---
 config/initializers/rack_attack.rb | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/config/initializers/rack_attack.rb b/config/initializers/rack_attack.rb
index 1f500243a..b193c2e14 100644
--- a/config/initializers/rack_attack.rb
+++ b/config/initializers/rack_attack.rb
@@ -221,6 +221,19 @@ class Rack::Attack
     match_data[:account_id] if match_data.present?
   end
 
+  ## Prevent increased use of conversations meta API per user
+  throttle('/api/v1/accounts/:account_id/conversations/meta/user',
+           limit: ENV.fetch('RATE_LIMIT_CONVERSATIONS_META', '30').to_i, period: 1.minute) do |req|
+    match_data = %r{/api/v1/accounts/(?<account_id>\d+)/conversations/meta}.match(req.path)
+    next unless match_data.present? && req.get?
+
+    user_uid = req.get_header('HTTP_UID')
+    api_access_token = req.get_header('HTTP_API_ACCESS_TOKEN') || req.get_header('api_access_token')
+    user_identifier = user_uid.presence || api_access_token.presence
+
+    "#{user_identifier}:#{match_data[:account_id]}" if user_identifier.present?
+  end
+
   ## ----------------------------------------------- ##
 end