From b8d56479805ac395809f0a726d45dbf81a1a5607 Mon Sep 17 00:00:00 2001 From: Daniel Volz Date: Tue, 30 Dec 2025 12:42:42 +0100 Subject: [PATCH] security: add rate limiting to remaining auth routes --- backend/src/routes/auth.ts | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/backend/src/routes/auth.ts b/backend/src/routes/auth.ts index 2381154..0b7e434 100644 --- a/backend/src/routes/auth.ts +++ b/backend/src/routes/auth.ts @@ -316,7 +316,9 @@ export async function authRoutes(app: FastifyInstance) { // --------------------------------------------------------------------------- // POST /auth/logout - Logout (revoke refresh token) // --------------------------------------------------------------------------- - app.post("/auth/logout", async (request, reply) => { + app.post("/auth/logout", { + config: { rateLimit: authRateLimitConfig }, + }, async (request, reply) => { const refreshTokenCookie = request.cookies.refresh_token; if (refreshTokenCookie) { @@ -422,7 +424,10 @@ export async function authRoutes(app: FastifyInstance) { // --------------------------------------------------------------------------- // POST /auth/avatar - Upload user avatar // --------------------------------------------------------------------------- - app.post("/auth/avatar", { preHandler: requireAuth }, async (request, reply) => { + app.post("/auth/avatar", { + preHandler: requireAuth, + config: { rateLimit: authRateLimitConfig }, + }, async (request, reply) => { const authUser = request.user as unknown as AuthUser | null; if (!authUser) { return reply.status(401).send({ error: "Not authenticated" }); @@ -471,7 +476,10 @@ export async function authRoutes(app: FastifyInstance) { // --------------------------------------------------------------------------- // DELETE /auth/avatar - Delete user avatar // --------------------------------------------------------------------------- - app.delete("/auth/avatar", { preHandler: requireAuth }, async (request, reply) => { + app.delete("/auth/avatar", { + preHandler: requireAuth, + config: { rateLimit: authRateLimitConfig }, + }, async (request, reply) => { const authUser = request.user as unknown as AuthUser | null; if (!authUser) { return reply.status(401).send({ error: "Not authenticated" });