forgejo-lila/lila - Forgejo: Beyond coding. We Forge.

forgejo-lila/lila

Fork 0

Commit graph

Author	SHA1	Message	Date
lila	0118798e36	feat: guest play — allow singleplayer quiz without auth - Add optionalAuth middleware: attaches session when present, never blocks (guests pass through) - Make game endpoints (start/answer) accept optional auth - GameSessionStore.userId: string → string \| null - Rate limiter falls back to IP for unauthenticated users - Frontend: remove /play route guard, show 'Create account' CTA on score screen for guests - Add tests for guest session creation, answer submission, and cross-user session isolation	2026-05-31 21:28:08 +02:00
lila	59049002fc	fix(api): skip rate limiting for non-sensitive auth endpoints All checks were successful Build and Deploy / build-and-deploy (push) Successful in 1m50s Details The authLimiter was blocking legitimate users because Better Auth's client polls /get-session frequently (on mount, route changes, focus), and /sign-out was also getting blocked after repeated session polls. Skip rate limiting for: - /get-session — read-only, requires valid cookie, no attack surface - /sign-out — no attack value in blocking logout - /callback/* — OAuth callbacks from providers Brute force protection remains on /sign-in, /sign-up, and other sensitive endpoints.	2026-04-23 22:12:38 +02:00
lila	9893ead689	feat(api): add helmet security headers and rate limiting - Add helmet middleware for secure HTTP response headers - Add express-rate-limit with three limiters: - authLimiter: per-IP, 20 req/15min on /api/auth/* - gameLimiter: per-user, 150 req/15min (not yet wired) - lobbyLimiter: per-user, 20 req/15min (not yet wired) - Set trust proxy for correct client IP behind Caddy - Add tests for all three limiters and helmet headers	2026-04-23 11:13:11 +02:00

Author

SHA1

Message

Date

lila

0118798e36

feat: guest play — allow singleplayer quiz without auth

- Add optionalAuth middleware: attaches session when present,
  never blocks (guests pass through)
- Make game endpoints (start/answer) accept optional auth
- GameSessionStore.userId: string → string | null
- Rate limiter falls back to IP for unauthenticated users
- Frontend: remove /play route guard, show 'Create account' CTA
  on score screen for guests
- Add tests for guest session creation, answer submission,
  and cross-user session isolation

2026-05-31 21:28:08 +02:00

lila

59049002fc

fix(api): skip rate limiting for non-sensitive auth endpoints

Build and Deploy / build-and-deploy (push) Successful in 1m50s

Details

The authLimiter was blocking legitimate users because Better Auth's
client polls /get-session frequently (on mount, route changes, focus),
and /sign-out was also getting blocked after repeated session polls.

Skip rate limiting for:
- /get-session — read-only, requires valid cookie, no attack surface
- /sign-out — no attack value in blocking logout
- /callback/* — OAuth callbacks from providers

Brute force protection remains on /sign-in, /sign-up, and other
sensitive endpoints.

2026-04-23 22:12:38 +02:00

lila

9893ead689

feat(api): add helmet security headers and rate limiting

- Add helmet middleware for secure HTTP response headers
- Add express-rate-limit with three limiters:
  - authLimiter: per-IP, 20 req/15min on /api/auth/*
  - gameLimiter: per-user, 150 req/15min (not yet wired)
  - lobbyLimiter: per-user, 20 req/15min (not yet wired)
- Set trust proxy for correct client IP behind Caddy
- Add tests for all three limiters and helmet headers

2026-04-23 11:13:11 +02:00

3 commits