manohar/tia
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Rate limit controlled via RATE_LIMIT_ENABLED env

Browse source
This commit is contained in:
Manohar Gupta 2026-05-17 01:12:15 +05:30
parent f84ee96e2b
commit e47001365e
3 changed files with 27 additions and 30 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
CLAUDE.md
View file

@ -260,6 +260,13 @@ export async function GET(request: Request) {
} }
``` ```
### Current Security Status (May 2026)
- **RLS (Row-Level Security):** DISABLED on family_members and children tables (was blocking INSERTs)
- **App-level security:** All routes use `requireFamily()` and `requireOwnership()` checks
- **This is secure because:** All API routes validate session before returning data
- **To re-enable RLS later:** Add proper INSERT bypass policy, keep RLS for SELECT only
AI routes use medical guardrails from `@/lib/ai/medical-triggers`: AI routes use medical guardrails from `@/lib/ai/medical-triggers`:
```typescript ```typescript

25
src/app/api/admin/auth/route.ts
View file

@ -20,22 +20,17 @@ export async function POST(request: Request) {
return NextResponse.json({ error: "Username and password required" }, { status: 400 }); return NextResponse.json({ error: "Username and password required" }, { status: 400 });
} }
// Rate limiting // Rate limiting - enable via RATE_LIMIT_ENABLED env var
const ip = getClientIp(request); if (process.env.RATE_LIMIT_ENABLED !== "false") {
const isSignup = action === "signup"; const ip = getClientIp(request);
const isSignup = action === "signup";
const rateLimitResult = await rateLimit( const rateLimitResult = await rateLimit(
getRateLimitKey(isSignup ? "admin-signup" : "admin-signin", ip), getRateLimitKey(isSignup ? "admin-signup" : "admin-signin", ip),
{ max: isSignup ? 3 : 5, windowSec: isSignup ? 3600 : 900 } { max: isSignup ? 3 : 5, windowSec: isSignup ? 3600 : 900 }
);
if (!rateLimitResult.success) {
const response = NextResponse.json(
{ error: "Too many attempts. Please try again later." },
{ status: 429 }
); );
response.headers.set("Retry-After", Math.ceil((rateLimitResult.reset.getTime() - Date.now()) / 1000).toString()); if (!rateLimitResult.success) {
return response; return NextResponse.json({ error: "Too many attempts" }, { status: 429 });
}
} }
// First time setup (signup) // First time setup (signup)

25
src/app/api/auth/signin/route.ts
View file

@ -78,22 +78,17 @@ export async function POST(request: Request) {
return NextResponse.json({ error: "Email and password required" }, { status: 400 }); return NextResponse.json({ error: "Email and password required" }, { status: 400 });
} }
// Rate limiting // Rate limiting - enable via RATE_LIMIT_ENABLED env var
const ip = getClientIp(request); if (process.env.RATE_LIMIT_ENABLED !== "false") {
const isSignup = action === "signup"; const ip = getClientIp(request);
const isSignup = action === "signup";
const rateLimitResult = await rateLimit( const rateLimitResult = await rateLimit(
isSignup ? getRateLimitKey("auth-signup", ip) : getRateLimitKey("auth-signin", ip), isSignup ? getRateLimitKey("auth-signup", ip) : getRateLimitKey("auth-signin", ip),
{ max: isSignup ? 3 : 5, windowSec: isSignup ? 3600 : 900 } // signup: 3/hr, signin: 5/15min { max: isSignup ? 3 : 5, windowSec: isSignup ? 3600 : 900 }
);
if (!rateLimitResult.success) {
const response = NextResponse.json(
{ error: "Too many attempts. Please try again later." },
{ status: 429 }
); );
response.headers.set("Retry-After", Math.ceil((rateLimitResult.reset.getTime() - Date.now()) / 1000).toString()); if (!rateLimitResult.success) {
return response; return NextResponse.json({ error: "Too many attempts" }, { status: 429 });
}
} }
try { try {