fix(api): enforce rate limiting for unknown client IPs

[mohdsubhan1756]

Description

Fixes #3354

This PR fixes a security issue where the track-user API route bypasses rate limiting when getClientIp() returns "unknown". Previously, requests with an undetermined IP were not subjected to any rate-limit checks, allowing unlimited requests and potential abuse.

The fix ensures that even when the client IP cannot be resolved, the request is still rate-limited using a fallback key instead of skipping the limiter entirely.

Changes

• Introduced a fallback rate-limit key for "unknown" IP values
• Ensured all requests are subject to rate limiting regardless of IP resolution
• Prevented bypass of trackUserRateLimiter.check() in edge cases
• Maintained special handling for localhost (127.0.0.1)

Pillar

• 🎨 Pillar 1 — New Theme Design
• 📐 Pillar 2 — Geometric SVG Improvement
• 🕐 Pillar 3 — Timezone Logic Optimization
• 🛠️ Other (Bug fix, refactoring, docs)

Visual Preview

N/A (Backend API / Security fix)

Checklist before requesting a review:

• I have read the CONTRIBUTING.md file.
• I have tested these changes locally (localhost:3000/api/streak?user=YOUR_USERNAME).
• I have run npm run format and npm run lint locally and resolved all errors (CI will fail otherwise).
• My commits follow the Conventional Commits format (e.g., feat(themes): ..., fix(calculate): ...).
• I have updated README.md if I added a new theme or URL parameter.
• I have started the repo.
• I have made sure that i have only one commit to merge in this PR.
• The SVG output matches the CommitPulse "premium quality" aesthetic standard (no raw elements, smooth animations, correct fonts).
• (Recommended) I joined the CommitPulse Discord community for contributor discussions, mentorship, and faster PR support.

[github-actions]

👋 Hey @mohdsubhan1756, welcome to CommitPulse! 🎉

Thanks for opening your first pull request — this is a big deal and we appreciate the effort!

While you wait for a review, please double-check:

• ✅ You've read the CONTRIBUTING.md checklist
• ✅ npm run lint, npm run format, and npm run test all pass locally
• ✅ Your PR has a visual preview if it touches any SVG output
• 💬 You've joined our Discord for faster PR feedback

A maintainer will review your PR shortly. Hang tight! 🚀

[vercel]

@mohdsubhan1756 is attempting to deploy a commit to the jhasourav07's projects Team on Vercel.

A member of the Team first needs to authorize it.

[github-actions]

🎉 Congratulations @mohdsubhan1756! Your PR has been successfully merged. 🚀

Thank you for contributing to CommitPulse. Your work helps us build a better tool for the community.

⚠️ Important for GSSoC Contributors:
You are strictly advised to join our Discord Server as it is mandatory for all GSSoC participants. All important announcements, point claims, and community discussions happen there.

Keep building! 💻✨