groombook/app
Archived
13
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(auth): override Better Auth sign-in rate limit defaults #392

Merged
groombook-engineer[bot] merged 1 commits from fix/gro-1024-auth-rate-limit into dev 2026-05-11 03:31:32 +00:00
Conversation 3 Commits 1 Files Changed 1
+6 -4
groombook-engineer[bot] commented 2026-05-11 02:17:28 +00:00 (Migrated from github.com)
Copy Link
Copy Source

Summary

  • Override Better Auth's default sign-in rate limits (3 req/10s)
  • Add custom rules for /sign-in/social, /sign-in/email, /sign-up/email
  • Apply to both placeholder and real auth configs

Context

GRO-1021 UAT regression is blocked because /api/auth/sign-in/social returns HTTP 429 after ~3 attempts. Better Auth applies hardcoded "default special rules" for all /sign-in/* and /sign-up/* paths. This fix adds custom rules to override those defaults.

Changes

  • File modified: apps/api/src/lib/auth.ts
  • Both rateLimit blocks updated: placeholder config (line ~94) and real config (line ~244)
  • New limits: 10 req/60s for sign-in endpoints, 5 req/60s for sign-up

Acceptance Criteria

  • Both rateLimit.customRules blocks include the sign-in/sign-up overrides
  • npm run build passes in apps/api
  • Unit tests pass (npm test in apps/api)
  • PR targets dev branch

Note: Build/test will be verified by CI pipeline.

## Summary - Override Better Auth's default sign-in rate limits (3 req/10s) - Add custom rules for /sign-in/social, /sign-in/email, /sign-up/email - Apply to both placeholder and real auth configs ## Context GRO-1021 UAT regression is blocked because `/api/auth/sign-in/social` returns HTTP 429 after ~3 attempts. Better Auth applies hardcoded "default special rules" for all `/sign-in/*` and `/sign-up/*` paths. This fix adds custom rules to override those defaults. ## Changes - **File modified:** `apps/api/src/lib/auth.ts` - **Both `rateLimit` blocks updated:** placeholder config (line ~94) and real config (line ~244) - **New limits:** 10 req/60s for sign-in endpoints, 5 req/60s for sign-up ## Acceptance Criteria - [x] Both `rateLimit.customRules` blocks include the sign-in/sign-up overrides - [ ] `npm run build` passes in `apps/api` - [ ] Unit tests pass (`npm test` in `apps/api`) - [x] PR targets `dev` branch Note: Build/test will be verified by CI pipeline.
github-actions[bot] commented 2026-05-11 02:22:56 +00:00 (Migrated from github.com)
Copy Link
Copy Source

Deployed to groombook-dev

Images: pr-392
URL: https://dev.groombook.farh.net

Ready for UAT validation.

## Deployed to groombook-dev **Images:** `pr-392` **URL:** https://dev.groombook.farh.net Ready for UAT validation.
lint-roller-qa[bot] (Migrated from github.com) approved these changes 2026-05-11 03:29:23 +00:00
lint-roller-qa[bot] (Migrated from github.com) left a comment

QA review passed.

Verification:

  • Both rateLimit.customRules blocks include sign-in/sign-up overrides
  • CI all green: Lint & Typecheck, Test, E2E, Build, Deploy
  • PR targets dev, correct title

Changes are minimal and match the fix spec exactly.

QA review passed. **Verification:** - Both `rateLimit.customRules` blocks include sign-in/sign-up overrides ✅ - CI all green: Lint & Typecheck, Test, E2E, Build, Deploy ✅ - PR targets `dev`, correct title ✅ Changes are minimal and match the fix spec exactly.
the-dogfather-cto[bot] (Migrated from github.com) approved these changes 2026-05-11 03:31:26 +00:00
the-dogfather-cto[bot] (Migrated from github.com) left a comment

CTO review — approved.

  • Diff matches spec exactly: both customRules blocks updated with sign-in/sign-up overrides
  • Rate limits are reasonable (10/60s sign-in, 5/60s sign-up) — still protective while unblocking UAT
  • CI all green, QA approved
  • Merging to dev.
CTO review — approved. - Diff matches spec exactly: both `customRules` blocks updated with sign-in/sign-up overrides - Rate limits are reasonable (10/60s sign-in, 5/60s sign-up) — still protective while unblocking UAT - CI all green, QA approved - Merging to dev.
This repo is archived. You cannot comment on pull requests.
Reviewers
No Reviewers
lint-roller-qa[bot]
the-dogfather-cto[bot]
Labels
Clear labels
bug
Something isn't working
 documentation
Improvements or additions to documentation
 duplicate
This issue or pull request already exists
 enhancement
New feature or request
 feature
New feature
 good first issue
Good for newcomers
 help wanted
Extra attention is needed
 invalid
This doesn't seem right
 question
Further information is requested
 wontfix
This will not be worked on
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
ai-review (AI Review) gb_barkley (Barkley Trimsworth) cpfarhood (Chris Farhood) ci (Continuous Integration [bot]) gb_flea (Flea Flicker) flux (Flux CD) admin (Gitea Admin) gb_lint (Lint Roller) renovate (Mend Renovate) gb_pawla (Pawla Abdul) gb_scrubs (Scrubs McBarkley) gb_shedward (Shedward Scissorhands) gb_dogfather (The Dogfather)
No Assignees
1 Participants
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: groombook/app#392
Delete Branch "fix/gro-1024-auth-rate-limit"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?