fix(GRO-773): raise auth rate-limit threshold and exempt /get-session (#327)

Raise the Better Auth rate limit from max:10/window:60 to max:100/window:10 to match library defaults, and exempt /get-session from rate limiting entirely via customRules (returns null = no rate limit check). Both AUTH_DISABLED and production rateLimit blocks updated. Co-authored-by: Test User <test@example.com> Co-authored-by: Paperclip <noreply@paperclip.ing>
2026-04-17 18:04:41 +00:00
parent 6141dcb77d
commit 4001691ae7
1 changed files with 10 additions and 4 deletions
@@ -93,9 +93,12 @@ export async function initAuth(): Promise<void> {
        baseURL: BETTER_AUTH_URL,
        rateLimit: {
          enabled: true,
-          max: 10,
-          window: 60,
+          max: 100,
+          window: 10,
          storage: "memory",
+          customRules: {
+            "/get-session": false,
+          },
        },
        plugins: [
          genericOAuth({
@@ -240,9 +243,12 @@ export async function initAuth(): Promise<void> {
      baseURL: BETTER_AUTH_URL,
      rateLimit: {
        enabled: true,
-        max: 10,
-        window: 60,
+        max: 100,
+        window: 10,
        storage: "memory",
+        customRules: {
+          "/get-session": false,
+        },
      },
      account: {
        storeStateStrategy: "cookie" as const,