fix: add rate limiting to auth service endpoints

apps/auth/app.ts

@@ -9,6 +9,7 @@
 import cors from 'cors';
 import express from 'express';
 import type { Request, Response, NextFunction } from 'express';
+import rateLimit from 'express-rate-limit';
 
 const port = process.env.AUTH_PORT || '8080';
 
@@ -38,8 +39,8 @@
   // This endpoint accepts an email, looks up the user, then finds their reset token
   app.get('/auth/test/verification-token', async (req, res) => {
     try {
       const identifier = String(req.query.identifier ?? '');
       const type = String(req.query.type ?? 'reset-password');
       if (!identifier) {
         return res.status(400).json({ error: 'identifier query parameter is required (email address)' });
       }
@@ -111,9 +112,24 @@
   );
 }
 
-// Mount the Better Auth handler for all auth routes
-// app.use() will handle all methods and paths under /auth
-app.use('/auth', toNodeHandler(auth));
+// Disable rate limiting in test environments to avoid flaky integration tests.
+// This matches the pattern used by the backend's rateLimiting middleware.
+const isTestEnv =
+  process.env.NODE_ENV === 'test' || process.env.USE_MOCK_SERVICES === 'true' || process.env.AUTH_BYPASS === 'true';
+
+if (isTestEnv) {
+  app.use('/auth', toNodeHandler(auth));
+} else {
+  const authRateLimit = rateLimit({
+    windowMs: 15 * 60 * 1000,
+    limit: 10,
+    standardHeaders: 'draft-7',
+    legacyHeaders: false,
+    message: { error: 'Too many requests, please try again later.' },
+  });
+
+  app.use('/auth', authRateLimit, toNodeHandler(auth));
+}
 
 //endpoint for healthchecks
 app.get('/healthcheck', async (req, res) => {
@@ -213,7 +229,7 @@
         },
       });
 
       organizationId = newOrganization.id;
     }
 
     if (!organizationId) {
@@ -224,7 +240,7 @@
       model: 'member',
       where: [
         { field: 'userId', value: newUser.id },
         { field: 'organizationId', value: organizationId },
       ],
     });
 
@@ -236,7 +252,7 @@
       model: 'member',
       data: {
         userId: newUser.id,
         organizationId: organizationId,
         role: 'stationManager',
         createdAt: new Date(),
       },

apps/auth/package.json

@@ -22,7 +22,8 @@
     "better-auth": "^1.5.6",
     "cors": "^2.8.6",
     "dotenv": "^17.3.1",
-    "express": "^5.2.1"
+    "express": "^5.2.1",
+    "express-rate-limit": "^8.2.1"
   },
   "peerDependencies": {
     "drizzle-orm": "^0.41.0"

apps/auth/tsup.config.ts

@@ -8,9 +8,15 @@ export default defineConfig((options) => ({
   target: 'node20',
   clean: true,
   sourcemap: true,
-  external: ['@wxyc/database', 'better-auth', 'drizzle-orm', 'express', 'cors', 'postgres', '@sentry/node'],
-  env: {
-    NODE_ENV: process.env.NODE_ENV || 'development',
-  },
+  external: [
+    '@wxyc/database',
+    'better-auth',
+    'drizzle-orm',
+    'express',
+    'express-rate-limit',
+    'cors',
+    'postgres',
+    '@sentry/node',
+  ],
   onSuccess: options.watch ? 'node ./dist/app.js' : undefined,
 }));

dev_env/docker-compose.yml

@@ -92,6 +92,7 @@ services:
         NPM_TOKEN: ${NPM_TOKEN:-}
     profiles: [ci]
     environment:
+      - NODE_ENV=test
       - DB_HOST=ci-db
       - DB_PORT=5432
       - DB_USERNAME=${DB_USERNAME}