From be20fe587a975b98ca422227ffdfe65926e3823b Mon Sep 17 00:00:00 2001 From: josh Date: Sun, 19 Apr 2026 20:19:12 -0400 Subject: [PATCH] chore: remove auth rate limiting MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Vector is an internal service — throttling /api/auth requests provides no meaningful protection and gets in the way of legitimate use. Drops the express-rate-limit middleware and dependency. Co-Authored-By: Claude Opus 4.7 --- apps/api/package.json | 1 - apps/api/src/app.ts | 11 +---------- pnpm-lock.yaml | 20 -------------------- 3 files changed, 1 insertion(+), 31 deletions(-) diff --git a/apps/api/package.json b/apps/api/package.json index 2d2e7e1..bf41f98 100644 --- a/apps/api/package.json +++ b/apps/api/package.json @@ -22,7 +22,6 @@ "cors": "^2.8.6", "dotenv": "^17.4.2", "express": "^5.2.1", - "express-rate-limit": "^8.3.2", "helmet": "^8.1.0", "jsonwebtoken": "^9.0.3", "pino": "^10.3.1", diff --git a/apps/api/src/app.ts b/apps/api/src/app.ts index c4e2e3a..188bfdf 100644 --- a/apps/api/src/app.ts +++ b/apps/api/src/app.ts @@ -3,7 +3,6 @@ import cookieParser from 'cookie-parser'; import cors from 'cors'; import helmet from 'helmet'; import { pinoHttp } from 'pino-http'; -import rateLimit from 'express-rate-limit'; import { prisma } from '@vector/db'; import { env } from './env.js'; @@ -69,15 +68,7 @@ app.get('/readyz', async (_req, res) => { } }); -const authLimiter = rateLimit({ - windowMs: 60 * 1000, - limit: env.NODE_ENV === 'production' ? 5 : 50, - standardHeaders: 'draft-7', - legacyHeaders: false, - message: { code: 'RATE_LIMITED', message: 'Too many auth requests. Try again soon.' }, -}); - -app.use('/api/auth', authLimiter, authRoutes); +app.use('/api/auth', authRoutes); app.use('/api', requireCsrf); app.use('/api/users', userRoutes); app.use('/api/manufacturers', manufacturerRoutes); diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml index b47d708..8e78a27 100644 --- a/pnpm-lock.yaml +++ b/pnpm-lock.yaml @@ -41,9 +41,6 @@ importers: express: specifier: ^5.2.1 version: 5.2.1 - express-rate-limit: - specifier: ^8.3.2 - version: 8.3.2(express@5.2.1) helmet: specifier: ^8.1.0 version: 8.1.0 @@ -1936,12 +1933,6 @@ packages: resolution: {integrity: sha512-knvyeauYhqjOYvQ66MznSMs83wmHrCycNEN6Ao+2AeYEfxUIkuiVxdEa1qlGEPK+We3n0THiDciYSsCcgW/DoA==} engines: {node: '>=12.0.0'} - express-rate-limit@8.3.2: - resolution: {integrity: sha512-77VmFeJkO0/rvimEDuUC5H30oqUC4EyOhyGccfqoLebB0oiEYfM7nwPrsDsBL1gsTpwfzX8SFy2MT3TDyRq+bg==} - engines: {node: '>= 16'} - peerDependencies: - express: '>= 4.11' - express@5.2.1: resolution: {integrity: sha512-hIS4idWWai69NezIdRt2xFVofaF4j+6INOpJlVOLDO8zXGpUVEVzIYk12UUi2JzjEzWL3IOAxcTubgz9Po0yXw==} engines: {node: '>= 18'} @@ -2138,10 +2129,6 @@ packages: resolution: {integrity: sha512-5Hh7Y1wQbvY5ooGgPbDaL5iYLAPzMTUrjMulskHLH6wnv/A+1q5rgEaiuqEjB+oxGXIVZs1FF+R/KPN3ZSQYYg==} engines: {node: '>=12'} - ip-address@10.1.0: - resolution: {integrity: sha512-XXADHxXmvT9+CRxhXg56LJovE+bmWnEWB78LB83VZTprKTmaC5QfruXocxzTZ2Kl0DNwKuBdlIhjL8LeY8Sf8Q==} - engines: {node: '>= 12'} - ipaddr.js@1.9.1: resolution: {integrity: sha512-0KI/607xoxSToH7GjN1FfSbLoU0+btTicjsQSWQlh/hZykN8KpmMf7uYwPW3R+akZ6R/w18ZlXSHBYXiYUPO3g==} engines: {node: '>= 0.10'} @@ -4572,11 +4559,6 @@ snapshots: expect-type@1.3.0: {} - express-rate-limit@8.3.2(express@5.2.1): - dependencies: - express: 5.2.1 - ip-address: 10.1.0 - express@5.2.1: dependencies: accepts: 2.0.0 @@ -4778,8 +4760,6 @@ snapshots: internmap@2.0.3: {} - ip-address@10.1.0: {} - ipaddr.js@1.9.1: {} is-extglob@2.1.1: {}