From 35c72a6c4b3e5b16e4f1e0ae5c8d87040b5c8d85 Mon Sep 17 00:00:00 2001
From: Chris Farhood <chris@farhood.org>
Date: Mon, 11 May 2026 01:45:06 +0000
Subject: [PATCH 1/2] Add TELNYX_WEBHOOK_SECRET to .env.example

Add TELNYX_WEBHOOK_SECRET placeholder for Telnyx webhook validation.

Resolves GRO-1083

Co-Authored-By: Paperclip <noreply@paperclip.ing>
---
 .env.example | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/.env.example b/.env.example
index f91cd54..620e23e 100644
--- a/.env.example
+++ b/.env.example
@@ -11,6 +11,10 @@ AUTH_DISABLED=false
 OIDC_ISSUER=https://authentik.example.com
 OIDC_AUDIENCE=groombook
 
+# ── Webhooks ─────────────────────────────────────────────────────────────────
+# Telnyx webhook secret for validating inbound message webhooks.
+TELNYX_WEBHOOK_SECRET=your-telnyx-webhook-secret-here
+
 # ── Setup Wizard ─────────────────────────────────────────────────────────────
 # When SKIP_OOBE=true, the setup wizard is bypassed regardless of whether a
 # super user exists in the database. Useful in dev/test environments where the
-- 
2.52.0


From a61614c4a9bbd70d51fa3f57bf41b18e88c282f8 Mon Sep 17 00:00:00 2001
From: Chris Farhood <chris@farhood.org>
Date: Mon, 11 May 2026 02:16:58 +0000
Subject: [PATCH 2/2] fix(auth): override Better Auth sign-in rate limit
 defaults

- Add custom rate limit rules for /sign-in/social, /sign-in/email, and /sign-up/email
- Override default Better Auth limits (3 req/10s) with more permissive limits
- Apply rules to both placeholder and real auth configs

Co-Authored-By: Paperclip <noreply@paperclip.ing>
---
 apps/api/src/lib/auth.ts | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/apps/api/src/lib/auth.ts b/apps/api/src/lib/auth.ts
index 209e9d6..8839098 100644
--- a/apps/api/src/lib/auth.ts
+++ b/apps/api/src/lib/auth.ts
@@ -97,6 +97,9 @@ export async function initAuth(): Promise<void> {
           window: 10,
           storage: "memory",
           customRules: {
+            "/sign-in/social": { max: 10, window: 60 },
+            "/sign-in/email": { max: 10, window: 60 },
+            "/sign-up/email": { max: 5, window: 60 },
             "/get-session": false,
           },
         },
@@ -247,6 +250,9 @@ export async function initAuth(): Promise<void> {
         window: 10,
         storage: "memory",
         customRules: {
+          "/sign-in/social": { max: 10, window: 60 },
+          "/sign-in/email": { max: 10, window: 60 },
+          "/sign-up/email": { max: 5, window: 60 },
           "/get-session": false,
         },
       },
-- 
2.52.0