From 2e8bd6724baaeaf1e901673e2e0eeb76652e90b2 Mon Sep 17 00:00:00 2001 From: kolaente Date: Sun, 31 May 2026 21:05:19 +0200 Subject: [PATCH] fix(api/v2): apply rate limit before the admin gate --- pkg/routes/routes.go | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/pkg/routes/routes.go b/pkg/routes/routes.go index a3c151a50..d8ff5c61d 100644 --- a/pkg/routes/routes.go +++ b/pkg/routes/routes.go @@ -413,14 +413,17 @@ func gateV2AdminRoutes() echo.MiddlewareFunc { func registerAPIRoutesV2(e *echo.Echo, a *echo.Group) { a.Use(noStoreCacheControl()) a.Use(SetupTokenMiddleware()) - // The admin gate must run after the token middleware (it reads the - // authenticated user from the JWT claims) and is scoped by path so only - // /api/v2/admin/* is gated. - a.Use(gateV2AdminRoutes()) // Match the authenticated v1 group: rate limiting and route metrics // apply to v2 resource endpoints too. setupRateLimit(a, config.RateLimitKind.GetString()) setupMetricsMiddleware(a) + // The admin gate must run after the token middleware (it reads the + // authenticated user from the JWT claims) and after the rate limit and + // metrics middleware so requests rejected by the gate are still rate + // limited and measured — RequireInstanceAdmin does a DB read per request, + // so an unauthenticated flood to /api/v2/admin/* would otherwise hit the + // DB unbounded. It is scoped by path so only /api/v2/admin/* is gated. + a.Use(gateV2AdminRoutes()) api := apiv2.NewAPI(e, a)