feat: add account suspension error message for rate limiting

[jacquesikot]

Description

This PR adds a new error message constant AUTH_ACCOUNT_SUSPENDED_FOR_RATE_LIMIT to handle cases where user accounts are suspended due to rate limiting violations.

Changes

• Added AUTH_ACCOUNT_SUSPENDED_FOR_RATE_LIMIT message constant in messages.ts
• Added the new error message to the approved error messages list in approvedErrorMessages.ts
• The message informs users that their account is suspended for 24 hours and suggests resetting their password to continue

Message Content

"Your account is suspended for 24 hours. Please reset your password to continue"

This provides clear guidance to users on both the suspension duration and the action they can take to resolve it.

Automation

/ok-to-test tags="@tag.Sanity, @tag.Authentication"

🔍 Cypress test results

Tip

🟢 🟢 🟢 All cypress tests have passed! 🎉 🎉 🎉
Workflow run: https://github.com/appsmithorg/appsmith/actions/runs/17939195425
Commit: 5b1a651
Cypress dashboard.
Tags: @tag.Sanity, @tag.Authentication
Spec:

---

Tue, 23 Sep 2025 08:25:35 UTC

Communication

Should the DevRel and Marketing teams inform users about this change?

• Yes
• No

Summary by CodeRabbit

• New Features
  • Added a clear authentication message when an account is temporarily suspended due to rate limiting (24-hour lockout). This message is now displayed as a standard, user-visible error, helping users understand why sign-in is blocked and when they can retry. This improves feedback after too many attempts or excessive requests, reducing confusion and support inquiries.

[coderabbitai]

Walkthrough

Introduces a new authentication message constant AUTH_ACCOUNT_SUSPENDED_FOR_RATE_LIMIT and adds it to the approved static error messages list. No other logic or interfaces change.

Changes

Cohort / File(s)	Summary
Auth error message constants app/client/src/ce/constants/messages.ts, app/client/src/ce/constants/approvedErrorMessages.ts	Adds AUTH_ACCOUNT_SUSPENDED_FOR_RATE_LIMIT message and includes it in APPROVED_ERROR_MESSAGES.static for exact-match, user-visible errors.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

A throttle’s whisper: “Pause a bit—
Too many calls, we must commit.”
New words now guide the waiting crew,
Twenty-four hours to start anew.
Code stands still, calm and tight,
Until the counter resets the night.

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Description Check	⚠️ Warning	The PR description is mostly clear and includes a Description, list of Changes, the exact message content, the /ok-to-test automation tag, a Cypress results placeholder, and the Communication checkboxes, but it omits the required "Fixes #" or an issue URL from the repository template and does not link to any related docs or design references; the Communication checkboxes are also left unselected. Because the repository template specifies a "Fixes" line as required, the missing issue link makes the description non‑compliant with the template. The rest of the content is sufficient but the absent issue linkage should be addressed before merge.	Add a "Fixes #" or full issue URL that this PR closes and include links to any relevant Notion/Figma/docs; mark the Communication checkbox if DevRel/Marketing should be informed and confirm the /ok-to-test tags are correct. After adding the issue link and any supporting references the description will conform to the repository template.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title Check	✅ Passed	The PR title "feat: add account suspension error message for rate limiting" is a concise, single-sentence summary that accurately describes the main change (adding an account-suspension error message for rate limiting) and matches the files and objectives in the changeset.
Docstring Coverage	✅ Passed	No functions found in the changes. Docstring coverage check skipped.

✨ Finishing touches

• 📝 Generate Docstrings

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch fix/rate-limit-error-query-string

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 2945431 and 5b1a651.

📒 Files selected for processing (2)

• app/client/src/ce/constants/approvedErrorMessages.ts (2 hunks)
• app/client/src/ce/constants/messages.ts (1 hunks)

🧰 Additional context used

🧬 Code graph analysis (1)

app/client/src/ce/constants/approvedErrorMessages.ts (1)

app/client/src/ce/constants/messages.ts (1)

• AUTH_ACCOUNT_SUSPENDED_FOR_RATE_LIMIT (2682-2683)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (8)

• GitHub Check: perform-test / rts-build / build
• GitHub Check: perform-test / server-build / server-unit-tests
• GitHub Check: perform-test / client-build / client-build
• GitHub Check: client-check-cyclic-deps / check-cyclic-dependencies
• GitHub Check: client-unit-tests / client-unit-tests
• GitHub Check: client-lint / client-lint
• GitHub Check: client-prettier / prettier-check
• GitHub Check: client-build / client-build

🔇 Additional comments (2)

app/client/src/ce/constants/approvedErrorMessages.ts (2)

12-12: Import looks good

Correctly importing the new constant from messages.

---

43-43: Whitelisting added correctly

Including the new auth message in APPROVED_ERROR_MESSAGES.static is appropriate and keeps it consistent with existing auth errors.

[coderabbitai]

🛠️ Refactor suggestion

🧩 Analysis chain

Polish copy (punctuation) and confirm backend alignment

Add a terminal period for consistency. Also verify that advising a password reset actually lifts the 24h suspension; if not, tweak the guidance.

Apply this diff:

 export const AUTH_ACCOUNT_SUSPENDED_FOR_RATE_LIMIT = () =>
-  "Your account is suspended for 24 hours. Please reset your password to continue";
+  "Your account is suspended for 24 hours. Please reset your password to continue.";

Run to check for message mismatches and usage sites:

---

🏁 Script executed:

#!/bin/bash
# Look for occurrences of the message with/without trailing period
rg -n -S -P 'Your account is suspended for 24 hours\. Please reset your password to continue\.?' -C2

# Find all references to the constant
rg -n -S 'AUTH_ACCOUNT_SUSPENDED_FOR_RATE_LIMIT' -C3

Length of output: 3307

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "----- Show RateLimitConstants.java -----"
sed -n '1,200p' app/server/appsmith-server/src/main/java/com/appsmith/server/constants/RateLimitConstants.java || true

echo
echo "----- Find usages of RATE_LIMIT_REACHED_ACCOUNT_SUSPENDED -----"
rg -n --hidden -S 'RATE_LIMIT_REACHED_ACCOUNT_SUSPENDED' || true

echo
echo "----- Find rate-limit related classes/usages (server) -----"
rg -n --hidden -S 'RateLimit|RateLimiter|rate limit|rateLimiter|RATE_LIMIT' app/server || true

echo
echo "----- Search for login-related rate-limit handling -----"
rg -n --hidden -S 'login' app/server -g '!**/target/**' -C3 || true

echo
echo "----- Search for password reset/change endpoints/logic -----"
rg -n --hidden -S 'resetPassword|reset-password|forgotPassword|forgot-password|changePassword|change-password|reset password|forgot password' || true

echo
echo "----- Search for logic that clears rate limit on password reset -----"
rg -n --hidden -S 'clear.*rate|reset.*rate|remove.*rate|delete.*rate|clear.*bucket|reset.*bucket|delete.*bucket' app/server || true

Length of output: 123009

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "----- LoginRateLimitFilter.java -----"
sed -n '1,240p' app/server/appsmith-server/src/main/java/com/appsmith/server/filters/LoginRateLimitFilter.java || true

echo
echo "----- AuthenticationSuccessHandlerCE.java (around reset) -----"
sed -n '1,420p' app/server/appsmith-server/src/main/java/com/appsmith/server/authentication/handlers/ce/AuthenticationSuccessHandlerCE.java || true

echo
echo "----- RateLimitService interface & impls -----"
sed -n '1,240p' app/server/appsmith-server/src/main/java/com/appsmith/server/ratelimiting/RateLimitService.java || true
sed -n '1,320p' app/server/appsmith-server/src/main/java/com/appsmith/server/ratelimiting/RateLimitServiceImpl.java || true
sed -n '1,320p' app/server/appsmith-server/src/main/java/com/appsmith/server/ratelimiting/ce/RateLimitServiceCEImpl.java || true

echo
echo "----- UserServiceCEImpl.resetPasswordAfterForgotPassword -----"
sed -n '1,520p' app/server/appsmith-server/src/main/java/com/appsmith/server/services/ce/UserServiceCEImpl.java || true

echo
echo "----- Search for RateLimitService usage in UserService or password reset paths -----"
rg -n --hidden -S 'RateLimitService' app/server/appsmith-server/src/main/java/com/appsmith/server/services || true
rg -n --hidden -S 'reset.*rate|clear.*rate|remove.*rate|delete.*bucket|clear.*bucket|reset.*bucket|remove.*bucket' app/server || true

echo
echo "----- Client: Login.tsx error handling -----"
sed -n '1,520p' app/client/src/pages/UserAuth/Login.tsx || true

echo
echo "----- Client: check reading of error query param -----"
rg -n --hidden -S 'RateLimitExceeded|error=.*RateLimitExceeded|login.*error' app/client || true

Length of output: 267364

---

---

🏁 Script executed:

```shell
#!/bin/bash
set -euo pipefail

echo "----- app/client/src/ce/constants/approvedErrorMessages.ts -----"
sed -n '1,240p' app/client/src/ce/constants/approvedErrorMessages.ts || true

echo
echo "----- app/client/src/ee/constants/approvedErrorMessages.ts (if exists) -----"
sed -n '1,240p' app/client/src/ee/constants/approvedErrorMessages.ts || true

echo
echo "----- Search for getSafeErrorMessage definition -----"
rg -n --hidden -S "getSafeErrorMessage" -g '!**/target/**' || true

echo
echo "----- Show getSafeErrorMessage implementation (if found) -----"
sed -n '1,240p' app/client/src/ce/constants/approvedErrorMessages.ts || true

Length of output: 11074

---

Add trailing period and keep client/server messages identical

• Update app/client/src/ce/constants/messages.ts — AUTH_ACCOUNT_SUSPENDED_FOR_RATE_LIMIT — add a terminal period.
• Update app/server/appsmith-server/src/main/java/com/appsmith/server/constants/RateLimitConstants.java — RATE_LIMIT_REACHED_ACCOUNT_SUSPENDED — add the same terminal period so the client’s approved-message check continues to match the server-sent text.
• No change to user guidance required: the password-reset flow calls rateLimitService.resetCounter(...) in app/server/.../UserServiceCEImpl.resetPasswordAfterForgotPassword, so resetting the password clears the login rate-limit.

🤖 Prompt for AI Agents

In app/client/src/ce/constants/messages.ts around lines 2682-2683 and in
app/server/appsmith-server/src/main/java/com/appsmith/server/constants/RateLimitConstants.java
(RATE_LIMIT_REACHED_ACCOUNT_SUSPENDED), the message strings lack a terminal
period and must match exactly between client and server; update both constants
to add a trailing period so the client’s approved-message check matches the
server-sent text, making no other behavioral changes.