fix(api/v2): apply rate limit before the admin gate

This commit is contained in:
kolaente 2026-05-31 21:05:19 +02:00 committed by kolaente
parent 82ad23c135
commit 2e8bd6724b
1 changed files with 7 additions and 4 deletions

View File

@ -413,14 +413,17 @@ func gateV2AdminRoutes() echo.MiddlewareFunc {
func registerAPIRoutesV2(e *echo.Echo, a *echo.Group) {
a.Use(noStoreCacheControl())
a.Use(SetupTokenMiddleware())
// The admin gate must run after the token middleware (it reads the
// authenticated user from the JWT claims) and is scoped by path so only
// /api/v2/admin/* is gated.
a.Use(gateV2AdminRoutes())
// Match the authenticated v1 group: rate limiting and route metrics
// apply to v2 resource endpoints too.
setupRateLimit(a, config.RateLimitKind.GetString())
setupMetricsMiddleware(a)
// The admin gate must run after the token middleware (it reads the
// authenticated user from the JWT claims) and after the rate limit and
// metrics middleware so requests rejected by the gate are still rate
// limited and measured — RequireInstanceAdmin does a DB read per request,
// so an unauthenticated flood to /api/v2/admin/* would otherwise hit the
// DB unbounded. It is scoped by path so only /api/v2/admin/* is gated.
a.Use(gateV2AdminRoutes())
api := apiv2.NewAPI(e, a)