From aca127e52e863423c36447f27cebf3d762b600c2 Mon Sep 17 00:00:00 2001
From: LordMathis <matus@namesny.com>
Date: Sat, 11 Oct 2025 22:16:15 +0200
Subject: [PATCH] Move rate limiting for authentication endpoints to the public
 routes group

---
 server/internal/app/routes.go | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/server/internal/app/routes.go b/server/internal/app/routes.go
index 6bb2946..ce94587 100644
--- a/server/internal/app/routes.go
+++ b/server/internal/app/routes.go
@@ -64,16 +64,16 @@ func setupRouter(o Options) *chi.Mux {
 
 	// API routes
 	r.Route("/api/v1", func(r chi.Router) {
-		// Rate limiting for API routes
-		if o.Config.RateLimitRequests > 0 {
-			r.Use(httprate.LimitByIP(
-				o.Config.RateLimitRequests,
-				o.Config.RateLimitWindow,
-			))
-		}
-
 		// Public routes (no authentication required)
 		r.Group(func(r chi.Router) {
+			// Rate limiting for authentication endpoints to prevent brute force attacks
+			if o.Config.RateLimitRequests > 0 {
+				r.Use(httprate.LimitByIP(
+					o.Config.RateLimitRequests,
+					o.Config.RateLimitWindow,
+				))
+			}
+
 			r.Post("/auth/login", handler.Login(o.SessionManager, o.CookieService))
 			r.Post("/auth/refresh", handler.RefreshToken(o.SessionManager, o.CookieService))
 		})