fix(rate-limit): ignore monitoring endpoints

Signed-off-by: Erik Michelson <github@erik.michelson.eu>

backend/src/security/rate-limiting.spec.ts

@@ -84,6 +84,15 @@ describe('rate limiting', () => {
     expect(getMaxLimitByRequestWithSecurityConfig(securityConfig)(request, 'key')).toBe(Infinity);
   });
 
+  it('never rate limits monitoring requests', () => {
+    const request = createMockedRequest({
+      url: '/api/private/monitoring/prometheus',
+      ip: '192.0.2.4',
+    });
+    expect(getTimeWindowByRequestWithSecurityConfig(securityConfig)(request, 'key')).toBe(0);
+    expect(getMaxLimitByRequestWithSecurityConfig(securityConfig)(request, 'key')).toBe(Infinity);
+  });
+
   it('uses auth limits for auth endpoints', () => {
     const request = createMockedRequest({ url: '/api/private/auth/login' });
     expect(getTimeWindowByRequestWithSecurityConfig(securityConfig)(request, 'key')).toBe(600000);

backend/src/security/rate-limiting.ts

@@ -53,15 +53,15 @@ function getRateLimitConfigByRequest(
   const path = req.routeOptions?.url ?? req.url;
   const userId = getUserIdFromSession(req);
 
-  // Logout is never rate-limited
-  if (path === '/api/private/auth/logout') {
+  // Logout and monitoring are never rate-limited
+  if (path === '/api/private/auth/logout' || path.startsWith('/api/private/monitoring')) {
     return {
       max: Infinity,
     };
   }
 
   // Auth endpoints except logout
-  if (path.includes('/api/private/auth/')) {
+  if (path.startsWith('/api/private/auth/')) {
     return securityConfig.rateLimit.auth;
   }