feat: add flag to disable api rate limit (#3149)

Signed-off-by: aaccardo <hackardo@gmail.com>
This commit is contained in:
Andrea Accardo
2026-06-17 13:26:27 +02:00
committed by GitHub
parent d6de3f830f
commit 3937f7ed2b
5 changed files with 9 additions and 1 deletions
+4
View File
@@ -93,6 +93,10 @@ FLAG_DISABLE_EMAIL_AUTH="false"
# This is useful if you are using a machine with limited resources, like a Raspberry Pi.
FLAG_DISABLE_IMAGE_PROCESSING="false"
# This flag disables API rate limiting for authentication endpoints.
# Rate limiting is enabled by default in production to prevent abuse.
FLAG_DISABLE_API_RATE_LIMIT="false"
# Allows dynamic OAuth client registration to use any parseable redirect URI,
# including custom schemes, private hosts, and non-loopback http:// URLs.
# WARNING: Enabling this on a public or multi-tenant deployment can enable phishing
+2
View File
@@ -117,6 +117,7 @@ ENCRYPTION_SECRET=""
FLAG_DISABLE_SIGNUPS="false"
FLAG_DISABLE_EMAIL_AUTH="false"
FLAG_DISABLE_IMAGE_PROCESSING="false"
FLAG_DISABLE_API_RATE_LIMIT="false"
# Allows any parseable dynamic OAuth redirect URI. Keep false unless this is a trusted self-hosted deployment.
FLAG_ALLOW_UNSAFE_OAUTH_REDIRECT_URI="false"
# Allows unsafe/private/non-public AI provider base URLs. Keep false unless this is a trusted self-hosted deployment.
@@ -356,6 +357,7 @@ openssl rand -hex 32
- **`FLAG_DISABLE_SIGNUPS`**: Disables new signups (web app and server). Useful for private instances.
- **`FLAG_DISABLE_EMAIL_AUTH`**: Disables email/password login entirely. Also disables email verification, forgot password, and reset password flows. Users can still sign up via social auth (Google/GitHub/LinkedIn/Custom OAuth), unless FLAG_DISABLE_SIGNUPS is also set to true. Useful when only SSO is required.
- **`FLAG_DISABLE_IMAGE_PROCESSING`**: Disables image processing. This is useful if you are using a machine with limited resources, like a Raspberry Pi.
- **`FLAG_DISABLE_API_RATE_LIMIT`**: Disables API rate limiting for authentication endpoints. Rate limiting is enabled by default in production to prevent abuse.
- **`FLAG_ALLOW_UNSAFE_OAUTH_REDIRECT_URI`**: Allows dynamic OAuth client registration to use any parseable redirect URI, including custom schemes, private hosts, and non-loopback `http://` URLs. **Warning: enabling this on a public or multi-tenant deployment can enable phishing or token exfiltration.** Only enable on trusted, self-hosted deployments.
- **`FLAG_ALLOW_UNSAFE_AI_BASE_URL`**: Allows AI providers to be configured with unsafe, private, or non-public base URLs, including `http://` and private/loopback addresses (for example, a local Ollama instance at `http://192.168.1.10:11434`). Public HTTPS provider URLs remain the safe default. **Warning: enabling this on a multi-tenant deployment is an SSRF risk.** Only enable on trusted, self-hosted deployments.
</Accordion>
+1 -1
View File
@@ -26,7 +26,7 @@ import { createGithubProfileMapper, createProfileMapper } from "./oauth-profile"
import { getTrustedOrigins } from "./trusted-origins";
const authBaseUrl = env.APP_URL;
const isRateLimitEnabled = process.env.NODE_ENV === "production";
const isRateLimitEnabled = process.env.NODE_ENV === "production" && !env.FLAG_DISABLE_API_RATE_LIMIT;
function getOAuthAudiences(): string[] {
const base = authBaseUrl.replace(/\/$/, "");
+1
View File
@@ -74,6 +74,7 @@ export const env = createEnv({
FLAG_DISABLE_SIGNUPS: z.stringbool().default(false),
FLAG_DISABLE_EMAIL_AUTH: z.stringbool().default(false),
FLAG_DISABLE_IMAGE_PROCESSING: z.stringbool().default(false),
FLAG_DISABLE_API_RATE_LIMIT: z.stringbool().default(false),
FLAG_ALLOW_UNSAFE_AI_BASE_URL: z.stringbool().default(false),
FLAG_ALLOW_UNSAFE_OAUTH_REDIRECT_URI: z.stringbool().default(false),
+1
View File
@@ -83,6 +83,7 @@
"FLAG_DISABLE_SIGNUPS",
"FLAG_DISABLE_EMAIL_AUTH",
"FLAG_DISABLE_IMAGE_PROCESSING",
"FLAG_DISABLE_API_RATE_LIMIT",
"FLAG_ALLOW_UNSAFE_OAUTH_REDIRECT_URI",
"FLAG_ALLOW_UNSAFE_AI_BASE_URL",
"GOOGLE_CLOUD_API_KEY",