Your Rate Limit Didn't Fail — You Just Met a Race Condition

Everything was working.

Athiqul hasan Momin

~3 min read · April 19, 2026 (Updated: April 19, 2026) · Free: Yes

Your OTP system? Clean. Your rate limit? Solid. One request per minute. Your tests? Passed.

You deploy.

A few minutes later, you check your logs… and your stomach drops:

One user just triggered five OTP SMS requests in one second.

Same user. Same endpoint. Same timestamp.

So now you're thinking:

"Did my rate limit break?"
"Is someone hacking this?"
"What did I miss?"

Here's the uncomfortable truth:

Your logic is fine. Your assumption is wrong.

Welcome to the world of race conditions.

The Bug That Only Exists in Production

Race conditions are sneaky.

They don't show up when you:

Click buttons manually
Test APIs one by one
Run things locally

They show up when:

Requests hit at the exact same time
Systems behave faster than you expect
Real users (or bots) stress your endpoints

In other words: production reveals what your local testing hides.

What Actually Went Wrong?

Let's simplify OTP logic:

Check: "Has user requested OTP in last 60 seconds?"
If no → send OTP
Save timestamp

Looks perfect, right?

Now imagine two requests hitting your server at the same millisecond:

Request A → checks → no recent OTP 
Request B → checks → no recent OTP

Neither request has updated the database yet.

So both continue:

Request A → sends OTP
Request B → sends OTP

Boom. You just paid for two SMS messages.

Multiply that by retries, bots, or network quirks… and things escalate fast.

The Mental Model Shift (This Is the Key)

Most developers think like this:

"My code runs step by step."

Reality:

"Multiple copies of my code run at the same time."

That difference? That's where race conditions live.

A Real-World Analogy That Actually Sticks

You have $100 in your bank account.

Two withdrawals happen at the same time:

ATM #1 checks → $100
ATM #2 checks → $100
ATM #1 withdraws → balance = $0
ATM #2 withdraws → balance = $0

You just withdrew $200.

No bugs in logic. Just bad timing.

So How Do You Fix It?

You don't "fix" the logic.

You control access to it.

Option 1: Atomic Locks (Your Best Friend)

Think of this like a "one-person-at-a-time" rule.

use Illuminate\Support\Facades\Cache;
$lock = Cache::lock('otp_lock_'.$user->id, 60);
if ($lock->get()) {
    // Only ONE request can enter here
    // Send OTP...
   $lock->release();
} else {
    return response('Too many requests', 429);
}

What this does:

First request gets the lock
Second request gets blocked
Your rate limit finally behaves as expected

Option 2: Database Locking (When Data Matters More)

For things like balances, always let the database protect you:

DB::transaction(function () {
    $user = User::where('id', 1)->lockForUpdate()->first();
// Safe operations here
});

Now:

No two requests can touch this row at the same time
Your data stays consistent

Don't Overcorrect (This Part Matters)

After learning this, it's tempting to lock everything.

Bad idea.

If you do that:

Your app slows down
Requests start waiting on each other
UX becomes painful

Instead, be intentional.

Use locks when:

It costs you money (SMS, APIs)
It involves money (wallets, payments)
It affects critical data

Skip it for:

Profile views
Read-only endpoints
Non-critical actions

The Real Lesson

Race conditions aren't rare.

They're just invisible — until they're not.

And when they show up, they:

Break your assumptions
Bypass your safeguards
Cost you real money

Final Thought

If you've ever said:

"This bug only happens sometimes…"

There's a very good chance…

You were looking at a race condition.

#race-condition #backend-development #rate-limiting #laravel #bugs

< Go to the original