Skip to content

fix(auth): stop rate limiter on /api/auth/me from logging users out#97

Merged
ShimiManashirov merged 1 commit into
mainfrom
claude/priceless-matsumoto-b2c506
Jul 4, 2026
Merged

fix(auth): stop rate limiter on /api/auth/me from logging users out#97
ShimiManashirov merged 1 commit into
mainfrom
claude/priceless-matsumoto-b2c506

Conversation

@ShimiManashirov

Copy link
Copy Markdown
Collaborator

Problem

The strict authLimiter (20 requests / 15 min) in backend/server.js covered all /api/auth routes, including GET /api/auth/me — which the frontend calls on every full page load. After ~20 navigations within 15 minutes, /me started returning 429; the frontend treated any /me failure as an auth failure, cleared the stored JWT (studylabs_token), and silently kicked the user back to /login.

Reproduced locally on 2026-07-04: after ~20 navigations the app logged the user out.

Fix

Backend (backend/server.js)

  • New loginLimiter keeps the strict 20/15min limit, but only on /api/auth/google (covers /google and /google/callback, including the mock-login flow).
  • The rest of /api/auth — including /me — now uses a relaxed 300/15min limiter, so routine page-load traffic can't trip it while abuse protection remains.

Frontend (frontend/src/store/authStore.js)

  • New handleAuthError helper distinguishes transient /me failures (429, 5xx, network errors) from real rejections. Transient failures keep the stored token so the session survives the next page load; only definitive rejections (401/403/other 4xx) clear it.
  • Applied in both initialize() and handleAuthCallback(). Existing behavior where a 400 during the OAuth callback clears the just-received token is preserved (pinned by an existing test).

Tests

  • Added regression test: token survives a 429 on /me (frontend/src/tests/authStore.test.jsx).
  • Backend: 120/120 passing. Frontend authStore suite: 12/12 passing.

🤖 Generated with Claude Code

The strict authLimiter (20 req/15min) covered all /api/auth routes,
including GET /api/auth/me which the frontend calls on every page load.
After ~20 navigations users hit 429, and the frontend treated it as an
auth failure — clearing the stored JWT and redirecting to /login.

- Apply the strict limiter only to the OAuth login endpoints
  (/api/auth/google*); the rest of /api/auth gets 300 req/15min.
- In authStore, keep the stored token on transient /me failures
  (429, 5xx, network errors) so a rate-limit blip no longer destroys
  the session; only definitive rejections clear it.
- Add a regression test asserting the token survives a 429 on /me.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
@ShimiManashirov ShimiManashirov merged commit 158c1fe into main Jul 4, 2026
2 checks passed
ShimiManashirov added a commit that referenced this pull request Jul 4, 2026
* feat(frontend): a11y improvements + shared UI primitives (#92)

- Global :focus-visible ring in index.css for app-wide keyboard focus
- New shared Button (variants/sizes/loading) and StatCard primitives
- New CountUp spring-number component (respects reduced-motion)
- clickableProps() a11y helper; applied to interactive divs
  (course rows, sidebar profile, roadmap toggle, roster select, shop cards)
- aria-labels/aria-expanded on icon-only buttons (bell, pagination, collapse)
- Adopt Button on EmptyState, Dashboard header, ManagedCourses CTAs

Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>

* fix(frontend): replace alert() with toasts, add error/a11y improvements

Replaces all browser alert() calls with the shared toast system, adds
missing error feedback for silently-failing fetches, fixes accessible
alt text and aria-labels across avatars/icon buttons/form fields, wires
up unconnected form labels, fixes an enrollment lookup using loose
equality, and flags Leaderboard's mock-data fallback as "Demo" so it's
not mistaken for real data.

Co-Authored-By: Claude <noreply@anthropic.com>

* refactor(frontend): clean code + UI consistency overhaul (#95)

* chore(frontend): add Prettier, jsx-a11y linting, husky pre-commit + fix a11y violations

- Prettier config + one-time format of src/
- eslint-plugin-jsx-a11y (recommended) + eslint-config-prettier
- husky + lint-staged pre-commit via frontend prepare script
- root .editorconfig
- fix all 28 jsx-a11y errors (labels, alt text, modal backdrops)

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>

* refactor(frontend): consolidate UI primitives, extract helpers, kill prop drilling

- new Spinner primitive replaces 17 duplicated inline spinner divs
- Button component used in MyCourses/ClassRoster/StudyShop (new gold variant)
- StudentStatusOverview split: 8 subcomponents extracted to components/instructor/
  + shared TableSkeleton/CardSkeleton in components/common/Skeletons.jsx
- status/format helpers moved to utils/studentStatus.js
- layouts: SidebarContent self-sources stores/router (9 props -> 2 callbacks)
- authStore: shared resolveActiveRole/loadCurrentUser helpers
- theme swatches unified into THEMES constant (was duplicated in StudentProfile)
- XP level magic numbers replaced with calculateLevel/XP_PER_LEVEL
- utils/logger.js wrapper replaces scattered console.* calls

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>

* polish(frontend): a11y + design-token consistency sweep

- ToastManager: aria-live polite region + labeled dismiss button
- sidebar course dropdown: aria-expanded / aria-haspopup
- inline brand gradients -> .bg-grad-* / .text-gradient-* classes
  (new bg-grad-instructor + text-gradient-instructor tokens)
- ClassRoster/ManagedCourses empty lists use shared EmptyState/PanelEmptyState

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>

* fix(frontend): sync package-lock.json with package.json (missing yaml dep)

npm ci in CI failed with 'Missing: yaml@2.9.0 from lock file'.
Regenerated the lockfile with npm install so it matches package.json.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>

---------

Co-authored-by: Claude Fable 5 <noreply@anthropic.com>

* fix(auth): stop rate limiter on /api/auth/me from logging users out (#97)

The strict authLimiter (20 req/15min) covered all /api/auth routes,
including GET /api/auth/me which the frontend calls on every page load.
After ~20 navigations users hit 429, and the frontend treated it as an
auth failure — clearing the stored JWT and redirecting to /login.

- Apply the strict limiter only to the OAuth login endpoints
  (/api/auth/google*); the rest of /api/auth gets 300 req/15min.
- In authStore, keep the stored token on transient /me failures
  (429, 5xx, network errors) so a rate-limit blip no longer destroys
  the session; only definitive rejections clear it.
- Add a regression test asserting the token survives a 429 on /me.

Co-authored-by: Claude Fable 5 <noreply@anthropic.com>

---------

Co-authored-by: ShimiManashirov <122288727+ShimiManashirov@users.noreply.github.com>
Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant