fix(security): enforce rate limiting for unknown client IPs in /api/notify (POST & GET)

[mohdsubhan1756]

Description

Fixes #3359

This PR fixes a security issue in the /api/notify route where rate limiting was bypassed when getClientIp() returned "unknown". In such cases, the request was incorrectly allowed to proceed without being subjected to throttling, leading to a potential abuse vector.

The fix ensures that rate limiting is always enforced by introducing a fallback rate-limit key when the client IP cannot be resolved. This guarantees consistent protection across both POST and GET endpoints.

Pillar

• 🎨 Pillar 1 — New Theme Design
• 📐 Pillar 2 — Geometric SVG Improvement
• 🕐 Pillar 3 — Timezone Logic Optimization
• 🛠️ Other (Bug fix, refactoring, docs)

Visual Preview

N/A (Backend security fix affecting API behavior only)

Checklist before requesting a review:

• I have read the CONTRIBUTING.md file.
• I have tested these changes locally (localhost:3000/api/streak?user=YOUR_USERNAME).
• I have run npm run format and npm run lint locally and resolved all errors (CI will fail otherwise).
• My commits follow the Conventional Commits format (e.g., feat(themes): ..., fix(calculate): ...).
• I have updated README.md if I added a new theme or URL parameter.
• I have started the repo.
• I have made sure that i have only one commit to merge in this PR.
• The SVG output matches the CommitPulse "premium quality" aesthetic standard (no raw elements, smooth animations, correct fonts).
• (Recommended) I joined the CommitPulse Discord community for contributor discussions, mentorship, and faster PR support.

[vercel]

@mohdsubhan1756 is attempting to deploy a commit to the jhasourav07's projects Team on Vercel.

A member of the Team first needs to authorize it.

[github-actions]

👋 Hey @mohdsubhan1756, welcome to CommitPulse! 🎉

Thanks for opening your first pull request — this is a big deal and we appreciate the effort!

While you wait for a review, please double-check:

• ✅ You've read the CONTRIBUTING.md checklist
• ✅ npm run lint, npm run format, and npm run test all pass locally
• ✅ Your PR has a visual preview if it touches any SVG output
• 💬 You've joined our Discord for faster PR feedback

A maintainer will review your PR shortly. Hang tight! 🚀

[github-actions]

🎉 Congratulations @mohdsubhan1756! Your PR has been successfully merged. 🚀

Thank you for contributing to CommitPulse. Your work helps us build a better tool for the community.

⚠️ Important for GSSoC Contributors:
You are strictly advised to join our Discord Server as it is mandatory for all GSSoC participants. All important announcements, point claims, and community discussions happen there.

Keep building! 💻✨