jake/compassmock
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
compassmock/docs/RATE-LIMITING.md
Nicholai a0dd50f59b
feat(auth): add user profiles and improve auth security (#33) 
- Wire up real user data to sidebar, header, and account modal
- Add functional profile editing (first name, last name) via WorkOS API
- Add password change functionality via WorkOS API
- Add logout functionality to sidebar and header dropdowns
- Migrate from manual WorkOS SDK to @workos-inc/authkit-nextjs
- Add server-side input validation with Zod schemas for all auth routes
- Add shared validation schemas for auth, users, teams, schedule, financial
- Fix 30-second auto-logout by properly handling refresh tokens
- Add SidebarUser type and toSidebarUser helper for UI components
- Add getInitials utility for avatar fallbacks
- Document rate limiting configuration for Cloudflare WAF
- Fix login page Suspense boundary for Next.js 15 compatibility
- Remove obsolete workos-client.ts in favor of authkit helpers

Co-authored-by: Nicholai <nicholaivogelfilms@gmail.com>
2026-02-05 08:20:51 -07:00

72 lines
2.2 KiB
Markdown
Executable File
Raw Blame History

# Rate Limiting Configuration
This document explains how to configure rate limiting for the authentication endpoints using Cloudflare.
## Recommended Configuration
### Via Cloudflare Dashboard (Recommended)
1. Go to **Cloudflare Dashboard** > **Security** > **WAF** > **Rate limiting rules**
2. Create a new rule with the following settings:
**Rule name:** Auth endpoint protection
**Expression:**
```
(http.request.uri.path contains "/api/auth/") or (http.request.uri.path eq "/callback")
```
**Characteristics:** IP address
**Rate:** 10 requests per 60 seconds
**Action:** Block for 60 seconds
3. Click **Deploy**
### Alternative: Stricter Rules for Login
For additional protection against brute-force attacks on the login endpoint:
**Rule name:** Login endpoint protection
**Expression:**
```
(http.request.uri.path eq "/api/auth/login") and (http.request.method eq "POST")
```
**Characteristics:** IP address
**Rate:** 5 requests per 60 seconds
**Action:** Block for 300 seconds (5 minutes)
## Why These Settings?
1. **10 requests per minute for general auth endpoints** - Allows legitimate users to:
- Make a few login attempts if they mistype their password
- Request password resets
- Complete email verification
2. **Stricter limits on login** - The login endpoint is the primary target for brute-force attacks. 5 attempts per minute is generous for legitimate users but stops automated attacks.
3. **IP-based blocking** - Simple and effective for most use cases. Note that this may block multiple users behind the same NAT/corporate network.
## Monitoring
After enabling rate limiting:
1. Monitor the **Security Analytics** dashboard for blocked requests
2. Adjust thresholds if you see legitimate traffic being blocked
3. Consider adding additional rules for specific patterns of abuse
## Advanced: Per-User Rate Limiting
For more sophisticated rate limiting based on user identity (not just IP), consider implementing application-level rate limiting using:
- **Cloudflare Durable Objects** - For distributed state
- **Cloudflare KV** - For simple counters with eventual consistency
This is typically only needed for applications with high traffic or specific compliance requirements.
Reference in New Issue View Git Blame Copy Permalink