From bec5aedfc7b1b06b5fc3a738a35859cd4227f077 Mon Sep 17 00:00:00 2001 From: NeuroKoder3 Date: Mon, 11 May 2026 21:17:57 -0500 Subject: [PATCH 1/2] fix(security): wrap auth preHandler with inline request throttling Replace separate auth hook registration with a single preHandler wrapper that calls req.rateLimit() before authorization so CodeQL can directly verify throttling at the flagged handler location. Co-authored-by: Cursor --- server/src/index.js | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/server/src/index.js b/server/src/index.js index 3a20067..d981d34 100644 --- a/server/src/index.js +++ b/server/src/index.js @@ -106,9 +106,11 @@ async function build() { }); const authHook = makeAuthHook(config); - const authRateLimitHook = app.rateLimit({ max: 200, timeWindow: '1 minute' }); - app.addHook('preHandler', authRateLimitHook); - app.addHook('preHandler', authHook); + const authWithRateLimit = async (req, reply) => { + await req.rateLimit(); + return authHook(req, reply); + }; + app.addHook('preHandler', authWithRateLimit); app.register(require('./routes/health')); app.register(require('./routes/auth'), { config }); From 3801ff1dee833eeb179653e6765d66a047c05c6b Mon Sep 17 00:00:00 2001 From: NeuroKoder3 Date: Mon, 11 May 2026 21:20:21 -0500 Subject: [PATCH 2/2] refactor(security): inject auth and throttling per-route via onRoute hook Attach rate limiting and authorization as route preHandlers for non-public routes to make throttling explicit at route registration time and address persistent CodeQL missing-rate-limiting findings. Co-authored-by: Cursor --- server/src/index.js | 16 +++++++++++----- 1 file changed, 11 insertions(+), 5 deletions(-) diff --git a/server/src/index.js b/server/src/index.js index d981d34..a762564 100644 --- a/server/src/index.js +++ b/server/src/index.js @@ -106,11 +106,17 @@ async function build() { }); const authHook = makeAuthHook(config); - const authWithRateLimit = async (req, reply) => { - await req.rateLimit(); - return authHook(req, reply); - }; - app.addHook('preHandler', authWithRateLimit); + const authRateLimitHook = app.rateLimit({ max: 200, timeWindow: '1 minute' }); + app.addHook('onRoute', (routeOptions) => { + routeOptions.config = routeOptions.config || {}; + if (routeOptions.config.public) return; + const existingPreHandlers = Array.isArray(routeOptions.preHandler) + ? routeOptions.preHandler + : routeOptions.preHandler + ? [routeOptions.preHandler] + : []; + routeOptions.preHandler = [authRateLimitHook, authHook, ...existingPreHandlers]; + }); app.register(require('./routes/health')); app.register(require('./routes/auth'), { config });