[Security] Bulk send allows 100 SMS per request, effectively bypassing per-user rate limit

[eltociear]

Summary

src/app/api/messages/bulk-send/route.ts uses the same rate limit as single send (10/min per user), but allows up to 100 recipients per request. This means a user can send 1,000 SMS per minute (10 requests x 100 recipients) instead of the intended 10.

Location

// src/app/api/messages/bulk-send/route.ts
const SEND_RATE_LIMIT = { limit: 10, windowMs: 60 * 1000 };

// Rate limit counts the bulk-send as 1 request, not 100 messages
const rl = checkRateLimit(`send:${user.id}`, SEND_RATE_LIMIT);

Impact

• Rate limit is trivially bypassable: 10 bulk requests = 1,000 SMS/minute
• Could lead to significant provider (Twilio/Telnyx) charges
• Potential abuse for SMS spam
• Provider accounts could be suspended for high-volume unsolicited messaging

Suggested Fix

Count each recipient toward the rate limit, not each request:

const recipientCount = recipients.length;
const rl = checkRateLimit(`send:${user.id}`, {
  limit: SEND_RATE_LIMIT.limit,
  windowMs: SEND_RATE_LIMIT.windowMs,
  cost: recipientCount,  // Each recipient counts as 1 toward the limit
});

Or separately limit bulk send to a lower request rate.

Severity

High — Direct cost implications via provider API abuse.