fix: add per-IP rate limiting and strict validation to badge endpoints

[advikdivekar]

Summary

Closes #453

The badge endpoints (/api/badge/commits and /api/badge/streak-shield) accepted any GitHub username with only a length check — no
authentication, no rate limiting. A single script looping thousands of usernames could exhaust the shared GITHUB_TOKEN quota (5,000 req/hr) and
take down the public profile page, leaderboard, and all badge endpoints simultaneously. Access patterns were also leaked unconditionally via

Changes

• src/lib/badge-rate-limit.ts (new) — sliding-window, in-memory rate limiter scoped to badge endpoints (20 req/min per IP), mirrors the
  existing middleware pattern exactly. Falls back gracefully: unknown IP counts as "unknown", still rate limited.

• src/app/api/badge/commits/route.ts — replaces the loose length check with GITHUB_USERNAME_RE (GitHub-spec: 1–39 chars, alphanumeric +
  hyphens, no leading/trailing hyphen). Adds per-IP rate limit gate before any processing. Returns 429 with Retry-After, X-RateLimit-* headers
  on excess. Removes all console.log statements. Upgrades Cache-Control to s-maxage=3600, stale-while-revalidate=86400.

• src/app/api/badge/streak-shield/route.ts — same validation, same rate limit gate, same header cleanup.

Test plan

• GET /api/badge/commits?user=torvalds → 200 SVG badge
• GET /api/badge/commits?user=-invalid- → 400 {"error":"Invalid username"}
• GET /api/badge/commits (no param) → 400 {"error":"Invalid username"}
• GET /api/badge/streak-shield?user=torvalds → 200 SVG badge
• GET /api/badge/streak-shield?user=-invalid- → 400
• 21 rapid requests from the same IP → request 21 returns 429 with Retry-After header
• Server logs contain no console.log of usernames during any of the above

---

Verification summary: All 7 criteria passed live against the running dev server — valid usernames return SVG (200), invalid usernames return 400,
missing param returns 400, and the 20 req/min limit correctly returns 429 with Retry-After/X-RateLimit-* headers on excess. No console.log of
usernames appeared in server output (only console.error for actual GitHub API failures, which is correct).

[vercel]

@advikdivekar is attempting to deploy a commit to the PRIYANSHU DOSHI's projects Team on Vercel.

A member of the Team first needs to authorize it.

[github-actions]

GSSoC Label Checklist 🏷️

@Priyanshu-byte-coder — please apply the appropriate labels before merging:

Difficulty (pick one):

• level:beginner — 20 pts
• level:intermediate — 35 pts
• level:advanced — 55 pts
• level:critical — 80 pts

Quality (optional):

• quality:clean — ×1.2 multiplier
• quality:exceptional — ×1.5 multiplier

Validation (required to score):

• gssoc:approved — counts for points
• gssoc:invalid / gssoc:spam / gssoc:ai-slop — does not score

Type labels (type:*) are auto-detected from files and title. Review and adjust if needed.
Points formula: (difficulty × quality_multiplier) + type_bonus

[Priyanshu-byte-coder]

Merge conflict — rebase on main to resolve. The implementation is solid (rate limiting, username regex, badge validation, goals route hardening, .gitignore cleanup) — once conflict is cleared this is ready to merge.

[Priyanshu-byte-coder]

This PR has merge conflicts with main. Please rebase:

git fetch origin
git rebase origin/main
git push --force-with-lease

Note: PR #469 also deletes .claude/settings.local.json and adds .claude/ to .gitignore — if that PR is updated and merged before this one, those changes may already be in main.

[advikdivekar]

@Priyanshu-byte-coder please review it now

[github-actions]

🎉 Merged! Thanks for contributing to DevTrack.

If the project has been useful to you, a ⭐ star on the repo is the easiest way to support it — it helps DevTrack get discovered by more developers.

Keep an eye on open issues for your next contribution!