From 4001691ae770e979eba80738980814faf2d5c322 Mon Sep 17 00:00:00 2001
From: "lint-roller-qa[bot]"
 <269744346+lint-roller-qa[bot]@users.noreply.github.com>
Date: Fri, 17 Apr 2026 18:04:41 +0000
Subject: [PATCH] fix(GRO-773): raise auth rate-limit threshold and exempt
 /get-session (#327)

Raise the Better Auth rate limit from max:10/window:60 to max:100/window:10
to match library defaults, and exempt /get-session from rate limiting entirely
via customRules (returns null = no rate limit check).

Both AUTH_DISABLED and production rateLimit blocks updated.

Co-authored-by: Test User <test@example.com>
Co-authored-by: Paperclip <noreply@paperclip.ing>
---
 apps/api/src/lib/auth.ts | 14 ++++++++++----
 1 file changed, 10 insertions(+), 4 deletions(-)

diff --git a/apps/api/src/lib/auth.ts b/apps/api/src/lib/auth.ts
index 37a51b0..209e9d6 100644
--- a/apps/api/src/lib/auth.ts
+++ b/apps/api/src/lib/auth.ts
@@ -93,9 +93,12 @@ export async function initAuth(): Promise<void> {
         baseURL: BETTER_AUTH_URL,
         rateLimit: {
           enabled: true,
-          max: 10,
-          window: 60,
+          max: 100,
+          window: 10,
           storage: "memory",
+          customRules: {
+            "/get-session": false,
+          },
         },
         plugins: [
           genericOAuth({
@@ -240,9 +243,12 @@ export async function initAuth(): Promise<void> {
       baseURL: BETTER_AUTH_URL,
       rateLimit: {
         enabled: true,
-        max: 10,
-        window: 60,
+        max: 100,
+        window: 10,
         storage: "memory",
+        customRules: {
+          "/get-session": false,
+        },
       },
       account: {
         storeStateStrategy: "cookie" as const,