Enforce free QR code limit across incognito/private browsing sessions via server-side IP tracking

[Copilot]

The 3-free-QR-code limit was stored exclusively in the Flask session cookie, which resets on every new incognito/private window — making the paywall trivially bypassable.

Changes

• IP-based rate limiting (_ip_qr_counts: OrderedDict[str, int]): moves the authoritative counter server-side, keyed by client IP, so it survives session resets
• Atomic check-and-increment (_check_and_increment_ip): limit check and counter update happen inside a single threading.Lock acquisition — eliminates the TOCTOU race where concurrent requests at count=2 could both slip through
• Spoofing-resistant IP extraction (get_client_ip): reads the last entry in X-Forwarded-For (appended by Railway/Render's trusted proxy, not controllable by the client); falls back to request.remote_addr
• Bounded memory (_MAX_TRACKED_IPS = 100_000): OrderedDict-based LRU eviction prevents unbounded growth
• Removed the now-redundant session['qr_count'] write

def _check_and_increment_ip(ip: str) -> tuple[bool, int]:
    with _ip_qr_lock:
        count = _ip_qr_counts.get(ip, 0)
        if count >= FREE_QR_LIMIT:
            return False, count          # blocked — no increment
        count += 1
        _ip_qr_counts[ip] = count
        _ip_qr_counts.move_to_end(ip)
        if len(_ip_qr_counts) > _MAX_TRACKED_IPS:
            _ip_qr_counts.popitem(last=False)
        return True, count

Note: The in-memory dict resets on process restart and is per-worker with multi-process gunicorn. A Redis-backed counter would be required for persistent, cross-worker enforcement.

Original prompt

hi, jakie poprawki trzeba wprowadzić w którym pliku aby można było wstrzymać możliwość generowania darmowych kodów qr w trybie i kognito wo wygenerowaniu 3 darmowych tak jak jest to aktualnie zaprojektowane..

---

🔒 GitHub Advanced Security automatically protects Copilot coding agent pull requests. You can protect all pull requests by enabling Advanced Security for your repositories. Learn more about Advanced Security.

[mplik]

Yes, that's one of the next tasks we will be working on. Thanks--Rafał Emme Właściciel mplik.pl(+48)533 789 ***@***.*** Zachęcamy do odwiedzenia naszej strony na Githubie.Znajdziesz tam wiele ciekawych projektów i zasobów!https://mplik.github.io/domeny-web/Sprawdź nas na GitHub oraz odkryj nasze wyjątkowe produkty na mplik.pl19 mar 2026 04:28 Copilot ***@***.***> napisał(a): @copilot requested your review on: mplik/qr-code-generator#31 Enforce free QR code limit across incognito/private browsing sessions via server-side IP tracking. —Reply to this email directly, view it on GitHub, or unsubscribe.You are receiving this because your review was requested.Message ID: ***@***.***>