fix(api): skip rate limiting for non-sensitive auth endpoints
All checks were successful
Build and Deploy / build-and-deploy (push) Successful in 1m50s
All checks were successful
Build and Deploy / build-and-deploy (push) Successful in 1m50s
The authLimiter was blocking legitimate users because Better Auth's client polls /get-session frequently (on mount, route changes, focus), and /sign-out was also getting blocked after repeated session polls. Skip rate limiting for: - /get-session — read-only, requires valid cookie, no attack surface - /sign-out — no attack value in blocking logout - /callback/* — OAuth callbacks from providers Brute force protection remains on /sign-in, /sign-up, and other sensitive endpoints.
This commit is contained in:
lila
parent
c57fc5a98b
commit
59049002fc
2 changed files with 39 additions and 9 deletions
|
|
@ -13,6 +13,15 @@ export const authLimiter = rateLimit({
|
|||
limit: 20,
|
||||
standardHeaders: "draft-8",
|
||||
legacyHeaders: false,
|
||||
skip: (req) => {
|
||||
const path = req.path;
|
||||
return (
|
||||
path.includes("/get-session") ||
|
||||
path.includes("/sign-out") ||
|
||||
path.startsWith("/callback/") ||
|
||||
path.includes("/callback/")
|
||||
);
|
||||
},
|
||||
message: {
|
||||
success: false,
|
||||
error: "Too many requests, please try again later.",
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue