diff --git a/features/sso/backend-api/src/features/auth/auth.controller.ts b/features/sso/backend-api/src/features/auth/auth.controller.ts index 9104219db..aa4441712 100755 --- a/features/sso/backend-api/src/features/auth/auth.controller.ts +++ b/features/sso/backend-api/src/features/auth/auth.controller.ts @@ -264,7 +264,7 @@ export class AuthController { * Rate limit: None (public endpoint for configuration) */ @Get('verification-config') - @SkipThrottle() + @SkipThrottle({ default: true, 'strict-auth': true, 'moderate-auth': true }) async getVerificationConfig(): Promise { // Build challenges array server-side (OCP: adding new challenge types only requires server config change) const challenges: VerificationChallenge[] = []; @@ -320,7 +320,7 @@ export class AuthController { * Validate current session. */ @Get("validate") - @SkipThrottle() + @SkipThrottle({ default: true, 'strict-auth': true, 'moderate-auth': true }) async validate(@Req() req: Request, @Res() res: Response) { const sessionId = this.getSessionIdFromHeader(req); if (!sessionId) { @@ -339,7 +339,7 @@ export class AuthController { * Get current user info. */ @Get("me") - @SkipThrottle() + @SkipThrottle({ default: true, 'strict-auth': true, 'moderate-auth': true }) async me(@Req() req: Request, @Res() res: Response) { const sessionId = this.getSessionIdFromHeader(req); if (!sessionId) { @@ -358,7 +358,7 @@ export class AuthController { * Refresh session. */ @Post("refresh") - @SkipThrottle() + @SkipThrottle({ default: true, 'strict-auth': true, 'moderate-auth': true }) async refresh(@Req() req: Request, @Res() res: Response) { const sessionId = this.getSessionIdFromHeader(req); if (!sessionId) { @@ -377,7 +377,7 @@ export class AuthController { * Logout - revoke session. */ @Post("logout") - @SkipThrottle() + @SkipThrottle({ default: true, 'strict-auth': true, 'moderate-auth': true }) async logout(@Req() req: Request, @Res() res: Response) { const sessionId = this.getSessionIdFromHeader(req); if (sessionId) { @@ -401,7 +401,7 @@ export class AuthController { * Token is bound to the session (if authenticated) and valid for 1 hour. */ @Get("csrf-token") - @SkipThrottle() + @SkipThrottle({ default: true, 'strict-auth': true, 'moderate-auth': true }) async getCsrfToken( @Req() req: Request, ): Promise<{ token: string; expiresIn: number }> {