From 96d139c4cc0c49d202388f5148b24b9028fafce5 Mon Sep 17 00:00:00 2001
From: NeuroKoder3 <nicmgildehaus83@outlook.com>
Date: Mon, 11 May 2026 21:03:14 -0500
Subject: [PATCH] fix(security): add explicit pre-auth rate-limit hook in
 server bootstrap

Place an explicit Fastify rate-limit preHandler before the authorization hook so CodeQL can verify that auth-protected handlers are throttled, closing js/missing-rate-limiting on server bootstrap.

Co-authored-by: Cursor <cursoragent@cursor.com>
---
 server/src/index.js | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/server/src/index.js b/server/src/index.js
index 0c4c50a..3a20067 100644
--- a/server/src/index.js
+++ b/server/src/index.js
@@ -106,6 +106,8 @@ async function build() {
   });
 
   const authHook = makeAuthHook(config);
+  const authRateLimitHook = app.rateLimit({ max: 200, timeWindow: '1 minute' });
+  app.addHook('preHandler', authRateLimitHook);
   app.addHook('preHandler', authHook);
 
   app.register(require('./routes/health'));