implement login throttle limit of 50 per minute removed from libnest

joshunrau · joshunrau · commit f6cfdadd7982 · 2026-01-13T12:56:06.000-05:00
diff --git a/apps/api/src/auth/auth.controller.ts b/apps/api/src/auth/auth.controller.ts
@@ -2,6 +2,7 @@ import { CurrentUser } from '@douglasneuroinformatics/libnest';
 import type { RequestUser } from '@douglasneuroinformatics/libnest';
 import { Body, Controller, Get, HttpCode, HttpStatus, Post } from '@nestjs/common';
 import { ApiOperation } from '@nestjs/swagger';
+import { Throttle } from '@nestjs/throttler';
 import { $LoginCredentials } from '@opendatacapture/schemas/auth';
 
 import { RouteAccess } from '@/core/decorators/route-access.decorator.js';
@@ -15,6 +16,7 @@ export class AuthController {
   @Get('create-instrument-token')
   @HttpCode(HttpStatus.OK)
   @RouteAccess({ action: 'create', subject: 'Instrument' })
+  @Throttle({ long: { limit: 50, ttl: 60_000 } })
   async getCreateInstrumentToken(@CurrentUser() currentUser: RequestUser): Promise<{ accessToken: string }> {
     return this.authService.getCreateInstrumentToken(currentUser);
   }
@@ -23,6 +25,7 @@ export class AuthController {
   @HttpCode(HttpStatus.OK)
   @Post('login')
   @RouteAccess('public')
+  @Throttle({ long: { limit: 50, ttl: 60_000 } })
   async login(@Body() credentials: $LoginCredentials): Promise<{ accessToken: string }> {
     return this.authService.login(credentials);
   }
