From 57fe69eaf7d66e97b6eba72860708a3a7973bac4 Mon Sep 17 00:00:00 2001
From: Chris Farhood <chris@farhood.org>
Date: Mon, 4 May 2026 21:20:26 +0000
Subject: [PATCH] fix(auth): override Better Auth sign-in rate limit defaults

Override Better Auth default rate limits for /sign-in/* and /sign-up/*
paths by adding customRules to both rateLimit blocks in auth.ts:
- /sign-in/social: max 10, window 60
- /sign-in/email: max 10, window 60
- /sign-up/email: max 5, window 60
- /get-session: false (unchanged)

Co-Authored-By: Paperclip <noreply@paperclip.ing>
---
 apps/api/src/lib/auth.ts | 16 +++++++++++-----
 1 file changed, 11 insertions(+), 5 deletions(-)

diff --git a/apps/api/src/lib/auth.ts b/apps/api/src/lib/auth.ts
index 209e9d6..f90dee7 100644
--- a/apps/api/src/lib/auth.ts
+++ b/apps/api/src/lib/auth.ts
@@ -96,12 +96,15 @@ export async function initAuth(): Promise<void> {
           max: 100,
           window: 10,
           storage: "memory",
-          customRules: {
-            "/get-session": false,
-          },
+customRules: {
+          "/sign-in/social": { max: 10, window: 60 },
+          "/sign-in/email": { max: 10, window: 60 },
+          "/sign-up/email": { max: 5, window: 60 },
+          "/get-session": false,
         },
-        plugins: [
-          genericOAuth({
+      },
+      plugins: [
+        genericOAuth({
             config: [
               {
                 providerId: "authentik",
@@ -247,6 +250,9 @@ export async function initAuth(): Promise<void> {
         window: 10,
         storage: "memory",
         customRules: {
+          "/sign-in/social": { max: 10, window: 60 },
+          "/sign-in/email": { max: 10, window: 60 },
+          "/sign-up/email": { max: 5, window: 60 },
           "/get-session": false,
         },
       },