Block guy who keeps disputing charges

Author: jahooma

web/src/app/api/v1/chat/completions/__tests__/completions.test.ts

@@ -28,6 +28,9 @@ describe('/api/v1/chat/completions POST endpoint', () => {
     'test-api-key-no-credits': {
       id: 'user-no-credits',
     },
+    'test-api-key-blocked': {
+      id: '5e5aa538-92c8-4051-b0ec-5f75dbd69767',
+    },
   }
 
   const mockGetUserInfoFromApiKey: GetUserInfoFromApiKeyFn = async ({
@@ -348,6 +351,41 @@ describe('/api/v1/chat/completions POST endpoint', () => {
     })
   })
 
+  describe('Blocked users', () => {
+    it('returns 503 with cryptic error for blocked user IDs', async () => {
+      const req = new NextRequest(
+        'http://localhost:3000/api/v1/chat/completions',
+        {
+          method: 'POST',
+          headers: { Authorization: 'Bearer test-api-key-blocked' },
+          body: JSON.stringify({
+            stream: true,
+            codebuff_metadata: { run_id: 'run-123' },
+          }),
+        },
+      )
+
+      const response = await postChatCompletions({
+        req,
+        getUserInfoFromApiKey: mockGetUserInfoFromApiKey,
+        logger: mockLogger,
+        trackEvent: mockTrackEvent,
+        getUserUsageData: mockGetUserUsageData,
+        getAgentRunFromId: mockGetAgentRunFromId,
+        fetch: mockFetch,
+        insertMessageBigquery: mockInsertMessageBigquery,
+        loggerWithContext: mockLoggerWithContext,
+      })
+
+      expect(response.status).toBe(503)
+      const body = await response.json()
+      expect(body).toEqual({
+        error: 'upstream_timeout',
+        message: 'Overloaded. Request could not be processed',
+      })
+    })
+  })
+
   describe('Credit validation', () => {
     it('returns 402 when user has insufficient credits', async () => {
       const req = new NextRequest(

web/src/app/api/v1/chat/completions/_post.ts

@@ -16,6 +16,14 @@ import {
 } from '@/llm-api/openrouter'
 import { extractApiKeyFromHeader } from '@/util/auth'
 
+/**
+ * User IDs that are blocked from using the chat completions API.
+ * Returns a cryptic error to avoid revealing the block.
+ */
+const BLOCKED_USER_IDS: string[] = [
+  '5e5aa538-92c8-4051-b0ec-5f75dbd69767',
+]
+
 import type { TrackEventFn } from '@codebuff/common/types/contracts/analytics'
 import type { InsertMessageBigqueryFn } from '@codebuff/common/types/contracts/bigquery'
 import type { GetUserUsageDataFn } from '@codebuff/common/types/contracts/billing'
@@ -149,6 +157,14 @@ export async function postChatCompletions(params: {
 
     const userId = userInfo.id
 
+    // Check if user is blocked. Return fake overloaded error to avoid revealing the block.
+    if (BLOCKED_USER_IDS.includes(userId)) {
+      return NextResponse.json(
+        { error: 'upstream_timeout', message: 'Overloaded. Request could not be processed' },
+        { status: 503 },
+      )
+    }
+
     // Track API request
     trackEvent({
       event: AnalyticsEvent.CHAT_COMPLETIONS_REQUEST,