mirror of
https://github.com/AmruthPillai/Reactive-Resume.git
synced 2026-07-13 06:24:54 +10:00
feat: add flag to disable api rate limit (#3149)
Signed-off-by: aaccardo <hackardo@gmail.com>
This commit is contained in:
@@ -93,6 +93,10 @@ FLAG_DISABLE_EMAIL_AUTH="false"
|
||||
# This is useful if you are using a machine with limited resources, like a Raspberry Pi.
|
||||
FLAG_DISABLE_IMAGE_PROCESSING="false"
|
||||
|
||||
# This flag disables API rate limiting for authentication endpoints.
|
||||
# Rate limiting is enabled by default in production to prevent abuse.
|
||||
FLAG_DISABLE_API_RATE_LIMIT="false"
|
||||
|
||||
# Allows dynamic OAuth client registration to use any parseable redirect URI,
|
||||
# including custom schemes, private hosts, and non-loopback http:// URLs.
|
||||
# WARNING: Enabling this on a public or multi-tenant deployment can enable phishing
|
||||
|
||||
@@ -117,6 +117,7 @@ ENCRYPTION_SECRET=""
|
||||
FLAG_DISABLE_SIGNUPS="false"
|
||||
FLAG_DISABLE_EMAIL_AUTH="false"
|
||||
FLAG_DISABLE_IMAGE_PROCESSING="false"
|
||||
FLAG_DISABLE_API_RATE_LIMIT="false"
|
||||
# Allows any parseable dynamic OAuth redirect URI. Keep false unless this is a trusted self-hosted deployment.
|
||||
FLAG_ALLOW_UNSAFE_OAUTH_REDIRECT_URI="false"
|
||||
# Allows unsafe/private/non-public AI provider base URLs. Keep false unless this is a trusted self-hosted deployment.
|
||||
@@ -356,6 +357,7 @@ openssl rand -hex 32
|
||||
- **`FLAG_DISABLE_SIGNUPS`**: Disables new signups (web app and server). Useful for private instances.
|
||||
- **`FLAG_DISABLE_EMAIL_AUTH`**: Disables email/password login entirely. Also disables email verification, forgot password, and reset password flows. Users can still sign up via social auth (Google/GitHub/LinkedIn/Custom OAuth), unless FLAG_DISABLE_SIGNUPS is also set to true. Useful when only SSO is required.
|
||||
- **`FLAG_DISABLE_IMAGE_PROCESSING`**: Disables image processing. This is useful if you are using a machine with limited resources, like a Raspberry Pi.
|
||||
- **`FLAG_DISABLE_API_RATE_LIMIT`**: Disables API rate limiting for authentication endpoints. Rate limiting is enabled by default in production to prevent abuse.
|
||||
- **`FLAG_ALLOW_UNSAFE_OAUTH_REDIRECT_URI`**: Allows dynamic OAuth client registration to use any parseable redirect URI, including custom schemes, private hosts, and non-loopback `http://` URLs. **Warning: enabling this on a public or multi-tenant deployment can enable phishing or token exfiltration.** Only enable on trusted, self-hosted deployments.
|
||||
- **`FLAG_ALLOW_UNSAFE_AI_BASE_URL`**: Allows AI providers to be configured with unsafe, private, or non-public base URLs, including `http://` and private/loopback addresses (for example, a local Ollama instance at `http://192.168.1.10:11434`). Public HTTPS provider URLs remain the safe default. **Warning: enabling this on a multi-tenant deployment is an SSRF risk.** Only enable on trusted, self-hosted deployments.
|
||||
</Accordion>
|
||||
|
||||
@@ -26,7 +26,7 @@ import { createGithubProfileMapper, createProfileMapper } from "./oauth-profile"
|
||||
import { getTrustedOrigins } from "./trusted-origins";
|
||||
|
||||
const authBaseUrl = env.APP_URL;
|
||||
const isRateLimitEnabled = process.env.NODE_ENV === "production";
|
||||
const isRateLimitEnabled = process.env.NODE_ENV === "production" && !env.FLAG_DISABLE_API_RATE_LIMIT;
|
||||
|
||||
function getOAuthAudiences(): string[] {
|
||||
const base = authBaseUrl.replace(/\/$/, "");
|
||||
|
||||
Vendored
+1
@@ -74,6 +74,7 @@ export const env = createEnv({
|
||||
FLAG_DISABLE_SIGNUPS: z.stringbool().default(false),
|
||||
FLAG_DISABLE_EMAIL_AUTH: z.stringbool().default(false),
|
||||
FLAG_DISABLE_IMAGE_PROCESSING: z.stringbool().default(false),
|
||||
FLAG_DISABLE_API_RATE_LIMIT: z.stringbool().default(false),
|
||||
FLAG_ALLOW_UNSAFE_AI_BASE_URL: z.stringbool().default(false),
|
||||
FLAG_ALLOW_UNSAFE_OAUTH_REDIRECT_URI: z.stringbool().default(false),
|
||||
|
||||
|
||||
@@ -83,6 +83,7 @@
|
||||
"FLAG_DISABLE_SIGNUPS",
|
||||
"FLAG_DISABLE_EMAIL_AUTH",
|
||||
"FLAG_DISABLE_IMAGE_PROCESSING",
|
||||
"FLAG_DISABLE_API_RATE_LIMIT",
|
||||
"FLAG_ALLOW_UNSAFE_OAUTH_REDIRECT_URI",
|
||||
"FLAG_ALLOW_UNSAFE_AI_BASE_URL",
|
||||
"GOOGLE_CLOUD_API_KEY",
|
||||
|
||||
Reference in New Issue
Block a user