Rate Limit by Multiple Request Fields
Reported by candidates from Roblox's online assessment. Pattern, common pitfall, and the honest play if you blank under the timer.
You're seeing a rate limiter problem from Roblox, reported May 2026. This isn't just "allow N requests per second." Each request arrives with multiple fields (userId, deviceId, endpoint, etc.), and each field has its own independent rate limit rule. A single request gets ALLOW only if it passes ALL field rules simultaneously. Fail one dimension, the whole request is REJECT. If you blank on the multi-dimensional logic during the OA, StealthCoder will feed you the pattern in real time.
The problem
Extend a basic rate limiter so that each request contains multiple fields such as userId, deviceId, or endpoint. Each field dimension has its own rule of the form fieldName window limit. For the same field value, allow at most limit requests inside a window of length window seconds. A request is ALLOWed only if it stays within the limit for every configured dimension. If any one dimension exceeds its limit, the request is REJECTed. Function Description Complete the function applyMultiFieldRateLimiter in the editor below. applyMultiFieldRateLimiter has the following parameters: Returns String[]: one result per request, each being ALLOW or REJECT. The third request is rejected because the user dimension exceeds its limit even though the device dimension is still valid. The second request fails the user rule, while the fourth request fails the endpoint rule because that endpoint already hit its limit in the active window.
Reported by candidates. Source: FastPrep
Pattern and pitfall
The trick is treating each field dimension as its own separate rate limiter running in parallel. For userId with rule "userId 60 10," you track the last 10 requests within a 60-second window for that specific user. You do the same for deviceId, endpoint, and any other fields. When a request arrives, you check every dimension. If all pass, ALLOW. If any single dimension exceeds its limit, REJECT immediately and don't bother checking the rest. Most candidates miss the "all must pass" AND logic or confuse the window size with the limit count. StealthCoder becomes your safety net if the multi-field tracking gets tangled during the live assessment.
Drill it cold or hedge it with StealthCoder. Either way, don't walk into the OA hoping you remember the trick.
You can drill Rate Limit by Multiple Request Fields cold, or you can hedge it. StealthCoder runs invisibly during screen share and surfaces a working solution in under 2 seconds. The proctor sees the IDE. They don't see what's behind it. Made for the candidate who got the OA invite this morning and has 72 hours, not six months.
Get StealthCoderRelated leaked OAs
You've seen the question.
Make sure you actually pass Roblox's OA.
Roblox reuses patterns across OAs. Made for the candidate who got the OA invite this morning and has 72 hours, not six months. Works on HackerRank, CodeSignal, CoderPad, and Karat.
Rate Limit by Multiple Request Fields FAQ
What's the difference between window and limit in the rule?+
Window is seconds, limit is request count. "userId 60 10" means: for each unique userId, allow at most 10 requests in any 60-second window. Track requests by timestamp, drop old ones outside the window, count remaining. If count >= limit, reject.
If userId passes but deviceId fails, do I ALLOW or REJECT?+
REJECT. All dimensions must pass for the request to be allowed. If even one field exceeds its limit, the entire request is rejected. This is the core multi-dimensional logic.
How do I handle the time window efficiently?+
Use a queue or list per field value. When a new request arrives at time T, drop all entries older than T - window from the queue. Then check if queue.length < limit. Queues are natural here because you only care about recency within a window.
Do I need to pre-parse the rules, or are they passed per request?+
The problem statement hints rules are configured upfront (fieldName window limit format). Parse them once into a map. Then for each incoming request, apply all configured rules for the fields present in that request.
What if a request has a field not in the configured rules?+
That field has no limit, so it always passes its (non-existent) rule. Only check dimensions for which a rule is explicitly configured. All configured rules must pass.