chore: remove auth rate limiting

Vector is an internal service — throttling /api/auth requests provides no meaningful protection and gets in the way of legitimate use. Drops the express-rate-limit middleware and dependency. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-04-19 20:19:12 -04:00
parent da6bd071ee
commit be20fe587a
3 changed files with 1 additions and 31 deletions
@@ -3,7 +3,6 @@ import cookieParser from 'cookie-parser';
 import cors from 'cors';
 import helmet from 'helmet';
 import { pinoHttp } from 'pino-http';
-import rateLimit from 'express-rate-limit';
 import { prisma } from '@vector/db';

 import { env } from './env.js';
@@ -69,15 +68,7 @@ app.get('/readyz', async (_req, res) => {
  }
 });

-const authLimiter = rateLimit({
-  windowMs: 60 * 1000,
-  limit: env.NODE_ENV === 'production' ? 5 : 50,
-  standardHeaders: 'draft-7',
-  legacyHeaders: false,
-  message: { code: 'RATE_LIMITED', message: 'Too many auth requests. Try again soon.' },
-});
-
-app.use('/api/auth', authLimiter, authRoutes);
+app.use('/api/auth', authRoutes);
 app.use('/api', requireCsrf);
 app.use('/api/users', userRoutes);
 app.use('/api/manufacturers', manufacturerRoutes);