From 72866e935e3cf952168513fc08533db69d63df5e Mon Sep 17 00:00:00 2001 From: Trey T Date: Mon, 23 Mar 2026 15:06:18 -0500 Subject: [PATCH] Disable auth rate limiters in debug mode for UI test suites Rate limiters on login/register/password-reset endpoints cause 429 errors when running parallel UI tests that create many accounts. In debug mode, skip rate limiters entirely so test suites can run without throttling. Co-Authored-By: Claude Opus 4.6 (1M context) --- docker-compose.dev.yml | 3 ++- docker-compose.yml | 2 +- internal/router/router.go | 25 ++++++++++++++++++------- 3 files changed, 21 insertions(+), 9 deletions(-) diff --git a/docker-compose.dev.yml b/docker-compose.dev.yml index 51b12ef..320a373 100644 --- a/docker-compose.dev.yml +++ b/docker-compose.dev.yml @@ -55,6 +55,7 @@ services: # Server PORT: "8000" DEBUG: "true" + DEBUG_FIXED_CODES: "true" ALLOWED_HOSTS: "localhost,127.0.0.1" TIMEZONE: "${TIMEZONE:-UTC}" @@ -121,7 +122,7 @@ services: api: condition: service_healthy healthcheck: - test: ["CMD", "wget", "--no-verbose", "--tries=1", "--spider", "http://127.0.0.1:3000/admin/"] + test: ["CMD", "wget", "--no-verbose", "--tries=1", "--spider", "http://127.0.0.1:3000/"] interval: 30s timeout: 10s retries: 3 diff --git a/docker-compose.yml b/docker-compose.yml index 88ce2e2..275e59c 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -125,7 +125,7 @@ services: HOSTNAME: "0.0.0.0" NEXT_PUBLIC_API_URL: "${NEXT_PUBLIC_API_URL}" healthcheck: - test: ["CMD", "wget", "--no-verbose", "--tries=1", "--spider", "http://127.0.0.1:3000/admin/"] + test: ["CMD", "wget", "--no-verbose", "--tries=1", "--spider", "http://127.0.0.1:3000/"] interval: 30s timeout: 10s retries: 3 diff --git a/internal/router/router.go b/internal/router/router.go index 30bc9d2..b595e19 100644 --- a/internal/router/router.go +++ b/internal/router/router.go @@ -218,7 +218,7 @@ func SetupRouter(deps *Dependencies) *echo.Echo { api := e.Group("/api") { // Public auth routes (no auth required) - setupPublicAuthRoutes(api, authHandler) + setupPublicAuthRoutes(api, authHandler, cfg.Server.Debug) // Public data routes (no auth required) setupPublicDataRoutes(api, residenceHandler, taskHandler, contractorHandler, staticDataHandler, subscriptionHandler, taskTemplateHandler) @@ -306,15 +306,26 @@ func healthCheck(c echo.Context) error { // setupPublicAuthRoutes configures public authentication routes with // per-endpoint rate limiters to mitigate brute-force and credential-stuffing. -func setupPublicAuthRoutes(api *echo.Group, authHandler *handlers.AuthHandler) { +// Rate limiters are disabled in debug mode to allow UI test suites to run +// without hitting 429 errors. +func setupPublicAuthRoutes(api *echo.Group, authHandler *handlers.AuthHandler, debug bool) { auth := api.Group("/auth") - // Rate limiters — created once, shared across requests. - loginRL := custommiddleware.LoginRateLimiter() // 10 req/min - registerRL := custommiddleware.RegistrationRateLimiter() // 5 req/min - passwordRL := custommiddleware.PasswordResetRateLimiter() // 3 req/min + if debug { + // No rate limiters in debug/local mode + auth.POST("/login/", authHandler.Login) + auth.POST("/register/", authHandler.Register) + auth.POST("/forgot-password/", authHandler.ForgotPassword) + auth.POST("/verify-reset-code/", authHandler.VerifyResetCode) + auth.POST("/reset-password/", authHandler.ResetPassword) + auth.POST("/apple-sign-in/", authHandler.AppleSignIn) + auth.POST("/google-sign-in/", authHandler.GoogleSignIn) + } else { + // Rate limiters — created once, shared across requests. + loginRL := custommiddleware.LoginRateLimiter() // 10 req/min + registerRL := custommiddleware.RegistrationRateLimiter() // 5 req/min + passwordRL := custommiddleware.PasswordResetRateLimiter() // 3 req/min - { auth.POST("/login/", authHandler.Login, loginRL) auth.POST("/register/", authHandler.Register, registerRL) auth.POST("/forgot-password/", authHandler.ForgotPassword, passwordRL)