Description
Middleware sets rate-limit headers on the NextResponse.next() response, but for routes that return their own responses (or fail/short-circuit), headers may be missing or inconsistent. The middleware does not guarantee headers are added to all returned responses in a consistent way.
Steps to Reproduce
- Call any protected API route, e.g. GET /api/streak?user=torvalds.
- Repeat quickly until rate limiting triggers.
- Inspect response headers in DevTools → Network.
Expected Behavior
For every request (success or 429), rate-limit headers are present and correct:
X-RateLimit-Limit
X-RateLimit-Remaining
X-RateLimit-Reset
Screenshots / Logs
No response
GitHub Username (If applicable)
No response
Environment
Chrome
Description
Middleware sets rate-limit headers on the NextResponse.next() response, but for routes that return their own responses (or fail/short-circuit), headers may be missing or inconsistent. The middleware does not guarantee headers are added to all returned responses in a consistent way.
Steps to Reproduce
Expected Behavior
For every request (success or 429), rate-limit headers are present and correct:
X-RateLimit-Limit
X-RateLimit-Remaining
X-RateLimit-Reset
Screenshots / Logs
No response
GitHub Username (If applicable)
No response
Environment
Chrome