BA
Better Auth6d ago
Shezan

rate limiting server actions

Hi, i am using server actions for sign up, sign in, forgot password & reset password. But I don't see any rate limiting (even though I enabled rateLimit). Is this because calling auth.api from server actions is not rate limited? What if I want to protect my auth actions from misuse? I tried both using radis as secondary storage and as custom storage for rate limiting. Also can anyone please tell me why I can't see the prefix being used (passed to secondaryStorage)?
export const auth = betterAuth({
  database: drizzleAdapter(db, { provider: "pg" }),
  secondaryStorage: {
    get: async (key) => {
      const value = await redis.get(key);
      return JSON.stringify(value) || null;
    },
    set: async (key, value, ttl) => {
      const opt = ttl ? { ex: ttl } : undefined;
      await redis.set(key, value, opt);
    },
    delete: async (key) => {
      await redis.del(key);
    },
    prefix: "myauth",
  },
  rateLimit: {
    enabled: true,
    window: 60,
    max: 10,
    storage: "secondary-storage",
    // customStorage: {
    //   get: async (key) => {
    //     const data = await redis.get(key);
    //     console.log({ data });
    //     return data ? JSON.parse(data as string) : undefined;
    //   },
    //   set: async (key, value) => {
    //     await redis.set(key, JSON.stringify(value), { ex: 60 });
    //   },
    // },
  },
  emailAndPassword: {
    enabled: true,
    minPasswordLength: 6,
    maxPasswordLength: 64,
    autoSignIn: false,
    requireEmailVerification: true,
    sendResetPassword: async ({ user, url }) => {
      await sendMail({
        to: [user.email],
        ...getAuthMailProps({ name: user.name, url, type: "reset" }),
      });
    },
  },
}
export const auth = betterAuth({
  database: drizzleAdapter(db, { provider: "pg" }),
  secondaryStorage: {
    get: async (key) => {
      const value = await redis.get(key);
      return JSON.stringify(value) || null;
    },
    set: async (key, value, ttl) => {
      const opt = ttl ? { ex: ttl } : undefined;
      await redis.set(key, value, opt);
    },
    delete: async (key) => {
      await redis.del(key);
    },
    prefix: "myauth",
  },
  rateLimit: {
    enabled: true,
    window: 60,
    max: 10,
    storage: "secondary-storage",
    // customStorage: {
    //   get: async (key) => {
    //     const data = await redis.get(key);
    //     console.log({ data });
    //     return data ? JSON.parse(data as string) : undefined;
    //   },
    //   set: async (key, value) => {
    //     await redis.set(key, JSON.stringify(value), { ex: 60 });
    //   },
    // },
  },
  emailAndPassword: {
    enabled: true,
    minPasswordLength: 6,
    maxPasswordLength: 64,
    autoSignIn: false,
    requireEmailVerification: true,
    sendResetPassword: async ({ user, url }) => {
      await sendMail({
        to: [user.email],
        ...getAuthMailProps({ name: user.name, url, type: "reset" }),
      });
    },
  },
}
1 Reply
sebastian
sebastian6d ago
Rate limiting only works with authClient. On server, you would have to implement it yourself

Did you find this page helpful?