Skip to content

fix: redirect to /auth/initial-setup after hitting auth rate limit (#…#3410

Open
Adityakk9031 wants to merge 1 commit into
fosrl:mainfrom
Adityakk9031:#3408
Open

fix: redirect to /auth/initial-setup after hitting auth rate limit (#…#3410
Adityakk9031 wants to merge 1 commit into
fosrl:mainfrom
Adityakk9031:#3408

Conversation

@Adityakk9031

Copy link
Copy Markdown
Contributor

Summary

Fixes #3408

After hitting the rate_limits.auth limit, reloading the dashboard root
redirected users to /auth/initial-setup instead of staying on the login
page — even on a fully configured instance.

Root Cause

Two issues combined to cause the redirect:

1. GET /auth/initial-setup-complete was inside the global authRouter
rate limiter scope.

The authRouter applies a blanket rate limiter to every /auth/* route using
an <IP>:<path> key. The /initial-setup-complete endpoint is called on
every dashboard root page load (it's a pure boolean read with no secrets),
so with a low max_requests value it exhausted its own per-path budget after
just a few reloads and started returning 429.

2. The page.tsx root page silently swallowed the 429.

// Before
let complete = false;
try {
    const res = await internal.get(`/auth/initial-setup-complete`, ...);
    complete = res.data.data.complete;
} catch (e) {}          // 429 discarded here
if (!complete) {        // complete is still false (default)
    redirect("/auth/initial-setup");  // fires incorrectly
}

@AstralDestiny

AstralDestiny commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

Fixes something couldn't replicate though?

Sorry if I come off terse or whatnot, Not trying to be, Just wasn't able to replicate the issue they mentioned with their steps on EE, So the question is what did you do differently to replicate or just went to the code and tried to find the reference for that? or weren't able to replicate either but went to find a fix?

@Adityakk9031

Copy link
Copy Markdown
Contributor Author

Hi @AstralDestiny,
No worries at all, it's a completely valid question! The reason this issue is a bit tricky to replicate lies in how Next.js server-side fetches, header forwarding, and the path-based rate limiter interact.

@Adityakk9031

Copy link
Copy Markdown
Contributor Author

@miloschwartz have a look please

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Redir to /auth/initial-setup after run in login rate limit

2 participants