Enforce limited Freebuff models before session gate

jahooma · jahooma · commit 6ff21b4ba67f · 2026-05-12T14:08:54.000-07:00
diff --git a/web/src/app/api/v1/chat/completions/__tests__/completions.test.ts b/web/src/app/api/v1/chat/completions/__tests__/completions.test.ts
@@ -592,10 +592,10 @@ describe('/api/v1/chat/completions POST endpoint', () => {
               'x-forwarded-for': '8.8.8.8',
             },
             body: JSON.stringify({
-              model: 'minimax/minimax-m2.7',
+              model: FREEBUFF_DEEPSEEK_V4_FLASH_MODEL_ID,
               stream: false,
               codebuff_metadata: {
-                run_id: 'run-free',
+                run_id: 'run-free-deepseek-flash',
                 client_id: 'test-client-id-123',
                 cost_mode: 'free',
                 freebuff_instance_id: 'active-instance-123',
@@ -705,6 +705,11 @@ describe('/api/v1/chat/completions POST endpoint', () => {
     )
 
     it('limits unknown-location free-mode requests to DeepSeek Flash', async () => {
+      const checkSessionAdmissible = mock(async () => {
+        throw new Error(
+          'limited model enforcement should run before session gate',
+        )
+      })
       // Use a TEST-NET-1 IP (RFC 5737) that geoip-lite cannot resolve, with
       // no cf-ipcountry header. This avoids the dev-only localhost bypass
       // (which kicks in when there is no cf-ipcountry AND no/loopback IP).
@@ -738,24 +743,21 @@ describe('/api/v1/chat/completions POST endpoint', () => {
         fetch: mockFetch,
         insertMessageBigquery: mockInsertMessageBigquery,
         loggerWithContext: mockLoggerWithContext,
-        checkSessionAdmissible: async (params) => {
-          expect(params.accessTier).toBe('limited')
-          expect(params.requestedModel).toBe('minimax/minimax-m2.7')
-          return {
-            ok: false,
-            code: 'session_model_mismatch',
-            message:
-              'Limited free access is only available with DeepSeek V4 Flash.',
-          }
-        },
+        checkSessionAdmissible,
       })
 
       expect(response.status).toBe(409)
       const body = await response.json()
       expect(body.error).toBe('session_model_mismatch')
+      expect(checkSessionAdmissible).toHaveBeenCalledTimes(0)
     })
 
     it('classifies anonymized Cloudflare country codes as limited access', async () => {
+      const checkSessionAdmissible = mock(async () => {
+        throw new Error(
+          'limited model enforcement should run before session gate',
+        )
+      })
       const req = new NextRequest(
         'http://localhost:3000/api/v1/chat/completions',
         {
@@ -787,20 +789,13 @@ describe('/api/v1/chat/completions POST endpoint', () => {
         fetch: mockFetch,
         insertMessageBigquery: mockInsertMessageBigquery,
         loggerWithContext: mockLoggerWithContext,
-        checkSessionAdmissible: async (params) => {
-          expect(params.accessTier).toBe('limited')
-          return {
-            ok: false,
-            code: 'session_model_mismatch',
-            message:
-              'Limited free access is only available with DeepSeek V4 Flash.',
-          }
-        },
+        checkSessionAdmissible,
       })
 
       expect(response.status).toBe(409)
       const body = await response.json()
       expect(body.error).toBe('session_model_mismatch')
+      expect(checkSessionAdmissible).toHaveBeenCalledTimes(0)
     })
 
     it(
diff --git a/web/src/app/api/v1/chat/completions/_post.ts b/web/src/app/api/v1/chat/completions/_post.ts
@@ -1,5 +1,10 @@
 import { AnalyticsEvent } from '@codebuff/common/constants/analytics-events'
 import { BYOK_OPENROUTER_HEADER } from '@codebuff/common/constants/byok'
+import {
+  FREEBUFF_GEMINI_PRO_MODEL_ID,
+  isFreebuffModelAllowedForAccessTier,
+  isSupportedFreebuffModelId,
+} from '@codebuff/common/constants/freebuff-models'
 import {
   isFreebuffGeminiThinkerAgent,
   isFreebuffRootAgent,
@@ -490,6 +495,33 @@ export async function postChatCompletions(params: {
       }
     }
 
+    if (
+      isFreeModeRequest &&
+      freebuffAccessTier === 'limited' &&
+      (isSupportedFreebuffModelId(typedBody.model) ||
+        typedBody.model === FREEBUFF_GEMINI_PRO_MODEL_ID) &&
+      !isFreebuffModelAllowedForAccessTier(typedBody.model, freebuffAccessTier)
+    ) {
+      trackEvent({
+        event: AnalyticsEvent.CHAT_COMPLETIONS_VALIDATION_ERROR,
+        userId,
+        properties: {
+          error: 'session_model_mismatch',
+          model: typedBody.model,
+          accessTier: freebuffAccessTier,
+        },
+        logger,
+      })
+      return NextResponse.json(
+        {
+          error: 'session_model_mismatch',
+          message:
+            'Limited free access is only available with DeepSeek V4 Flash.',
+        },
+        { status: STATUS_BY_GATE_CODE.session_model_mismatch },
+      )
+    }
+
     let freeModeSessionGate: SessionGateResult | null = null
 
     // Freebuff waiting-room gate. Usually enforced only when
