diff --git a/.env.example b/.env.example index ab18e3be7..6424cc9e8 100644 --- a/.env.example +++ b/.env.example @@ -93,6 +93,10 @@ FLAG_DISABLE_EMAIL_AUTH="false" # This is useful if you are using a machine with limited resources, like a Raspberry Pi. FLAG_DISABLE_IMAGE_PROCESSING="false" +# This flag disables API rate limiting for authentication endpoints. +# Rate limiting is enabled by default in production to prevent abuse. +FLAG_DISABLE_API_RATE_LIMIT="false" + # Allows dynamic OAuth client registration to use any parseable redirect URI, # including custom schemes, private hosts, and non-loopback http:// URLs. # WARNING: Enabling this on a public or multi-tenant deployment can enable phishing diff --git a/docs/self-hosting/docker.mdx b/docs/self-hosting/docker.mdx index 0e19a1c8b..852982754 100644 --- a/docs/self-hosting/docker.mdx +++ b/docs/self-hosting/docker.mdx @@ -117,6 +117,7 @@ ENCRYPTION_SECRET="" FLAG_DISABLE_SIGNUPS="false" FLAG_DISABLE_EMAIL_AUTH="false" FLAG_DISABLE_IMAGE_PROCESSING="false" +FLAG_DISABLE_API_RATE_LIMIT="false" # Allows any parseable dynamic OAuth redirect URI. Keep false unless this is a trusted self-hosted deployment. FLAG_ALLOW_UNSAFE_OAUTH_REDIRECT_URI="false" # Allows unsafe/private/non-public AI provider base URLs. Keep false unless this is a trusted self-hosted deployment. @@ -356,6 +357,7 @@ openssl rand -hex 32 - **`FLAG_DISABLE_SIGNUPS`**: Disables new signups (web app and server). Useful for private instances. - **`FLAG_DISABLE_EMAIL_AUTH`**: Disables email/password login entirely. Also disables email verification, forgot password, and reset password flows. Users can still sign up via social auth (Google/GitHub/LinkedIn/Custom OAuth), unless FLAG_DISABLE_SIGNUPS is also set to true. Useful when only SSO is required. - **`FLAG_DISABLE_IMAGE_PROCESSING`**: Disables image processing. This is useful if you are using a machine with limited resources, like a Raspberry Pi. + - **`FLAG_DISABLE_API_RATE_LIMIT`**: Disables API rate limiting for authentication endpoints. Rate limiting is enabled by default in production to prevent abuse. - **`FLAG_ALLOW_UNSAFE_OAUTH_REDIRECT_URI`**: Allows dynamic OAuth client registration to use any parseable redirect URI, including custom schemes, private hosts, and non-loopback `http://` URLs. **Warning: enabling this on a public or multi-tenant deployment can enable phishing or token exfiltration.** Only enable on trusted, self-hosted deployments. - **`FLAG_ALLOW_UNSAFE_AI_BASE_URL`**: Allows AI providers to be configured with unsafe, private, or non-public base URLs, including `http://` and private/loopback addresses (for example, a local Ollama instance at `http://192.168.1.10:11434`). Public HTTPS provider URLs remain the safe default. **Warning: enabling this on a multi-tenant deployment is an SSRF risk.** Only enable on trusted, self-hosted deployments. diff --git a/packages/auth/src/config.ts b/packages/auth/src/config.ts index d25fd7f5c..8089f92a3 100644 --- a/packages/auth/src/config.ts +++ b/packages/auth/src/config.ts @@ -26,7 +26,7 @@ import { createGithubProfileMapper, createProfileMapper } from "./oauth-profile" import { getTrustedOrigins } from "./trusted-origins"; const authBaseUrl = env.APP_URL; -const isRateLimitEnabled = process.env.NODE_ENV === "production"; +const isRateLimitEnabled = process.env.NODE_ENV === "production" && !env.FLAG_DISABLE_API_RATE_LIMIT; function getOAuthAudiences(): string[] { const base = authBaseUrl.replace(/\/$/, ""); diff --git a/packages/env/src/server.ts b/packages/env/src/server.ts index df9a5b4aa..4abd17828 100644 --- a/packages/env/src/server.ts +++ b/packages/env/src/server.ts @@ -74,6 +74,7 @@ export const env = createEnv({ FLAG_DISABLE_SIGNUPS: z.stringbool().default(false), FLAG_DISABLE_EMAIL_AUTH: z.stringbool().default(false), FLAG_DISABLE_IMAGE_PROCESSING: z.stringbool().default(false), + FLAG_DISABLE_API_RATE_LIMIT: z.stringbool().default(false), FLAG_ALLOW_UNSAFE_AI_BASE_URL: z.stringbool().default(false), FLAG_ALLOW_UNSAFE_OAUTH_REDIRECT_URI: z.stringbool().default(false), diff --git a/turbo.json b/turbo.json index 98e42f6a6..b7eb52b8b 100644 --- a/turbo.json +++ b/turbo.json @@ -83,6 +83,7 @@ "FLAG_DISABLE_SIGNUPS", "FLAG_DISABLE_EMAIL_AUTH", "FLAG_DISABLE_IMAGE_PROCESSING", + "FLAG_DISABLE_API_RATE_LIMIT", "FLAG_ALLOW_UNSAFE_OAUTH_REDIRECT_URI", "FLAG_ALLOW_UNSAFE_AI_BASE_URL", "GOOGLE_CLOUD_API_KEY",