custom routes added to auth route arent rate limit protected

J

JarenOP•11/29/25, 2:15 AM

@Better Auth should custom routes added to the auth prefix (e.g. /auth/is-email-available) be rate limitable? i added a custom route and tried adding a custom rule for /auth/is-email-available and /is-email-available and the rate limits dont work. its enabled in dev mode and other rate lmiits do work

B

Better Auth•11/29/25, 2:15 AM

Based on our current implementation, rate limiting is applied globally [1] and custom rules only match the exact paths used in the request. When you add a custom route with an auth prefix (like /auth/is-email-available), the custom rule must match the actual request path that the rate limiter sees. If you’re using both /auth/is-email-available and /is-email-available and neither work, it could be that the route you’re defining doesn’t exactly match the internal routing used by Better Auth.

Custom endpoints created outside of our built‐in endpoints might not automatically be recognized by the custom rules unless the path provided in the rule exactly matches the request’s URL. It might be that additional configuration or adjustments are needed for such custom routes to be rate limited properly.

Have you double-checked that the custom rule path exactly matches the incoming request path? If it still doesn’t work, would you mind tagging @bekacru or @ping__ so they can dive deeper and help you resolve this?

Sources:
[1] Rate limiting applies globally (cannot restrict to specific routes)

— Better Auth is powered by https://clarm.com

GitHub

Rate limiting applies globally (cannot restrict to specific routes)...

Is this suited for github? Yes, this is suited for github Description When enabling rateLimit in Better Auth, it currently applies globally to all routes (e.g., /get-session). This results in unnec...

J

JarenOP•11/29/25, 2:17 AM

@Better Auth to clarify, im using fastify and i defined the route before the catch all route for /auth where betterauth handles those requests. the route is working properly and doing what i want it to, just no rate limits configuration seems to work for it

B

Better Auth•11/29/25, 2:17 AM

Hey there! Based on our documentation, a few things might be affecting the rate limiting in your setup:

In development mode, rate limiting is disabled by default. If you're running in development, you'll need to explicitly set enabled: true in your Better Auth configuration [1].
The built-in rate limiting is applied to requests handled by Better Auth’s own handler. If you've defined a custom Fastify route before the catch-all route, that route might bypass some of the internal middleware (including rate limiting) that gets applied to client-initiated requests processed directly by Better Auth [1]. This means your custom route might not be going through the rate limiter at all.

Could you double-check that you're running in production mode (or have explicitly enabled rate limiting) and verify that your requests to that custom route are processed by Better Auth’s handler? Let me know if that helps or if you need further clarification! Have you tried testing with the default catch-all route configuration to see if rate limiting works there?

Sources:
[1] Rate Limit | Better Auth

— Better Auth is powered by https://clarm.com

Rate Limit | Better Auth

How to limit the number of requests a user can make to the server in a given time period.

J

JarenOP•11/29/25, 3:10 AM

@Better Auth here's some code:

// from betterAuth configuration
{
  basePath: '/auth'.
  rateLimit: {
    enabled: true,
    customRules: {
      '/auth/is-email-available': {
        max: 3,
        window: 10
      },
      '/is-email-available': {
        max: 3,
        window: 10
      }
    },
  },
}

// from betterAuth configuration
{
  basePath: '/auth'.
  rateLimit: {
    enabled: true,
    customRules: {
      '/auth/is-email-available': {
        max: 3,
        window: 10
      },
      '/is-email-available': {
        max: 3,
        window: 10
      }
    },
  },
}

// from betterAuth configuration
{
  basePath: '/auth'.
  rateLimit: {
    enabled: true,
    customRules: {
      '/auth/is-email-available': {
        max: 3,
        window: 10
      },
      '/is-email-available': {
        max: 3,
        window: 10
      }
    },
  },
}

// from betterAuth configuration
{
  basePath: '/auth'.
  rateLimit: {
    enabled: true,
    customRules: {
      '/auth/is-email-available': {
        max: 3,
        window: 10
      },
      '/is-email-available': {
        max: 3,
        window: 10
      }
    },
  },
}

// registered /auth route
 fastify.route({
    method: ['GET', 'POST'],
    url: '/*',
    async handler(request, reply) {
      try {
        const url = new URL(request.url, `http://${request.headers.host}`);

        const headers = new Headers();

        Object.entries(request.headers).forEach(([key, value]) => {
          if (value) headers.append(key, value.toString());
        });

        const req = new Request(url.toString(), {
          method: request.method,
          headers,
          body: request.body ? JSON.stringify(request.body) : undefined,
        });

        const response = await auth.handler(req);

        reply.status(response.status);

        response.headers.forEach((value, key) => reply.header(key, value));

        reply.send(response.body ? await response.text() : null);
      } catch (error) {
        fastify.log.error('Authentication Error:');
        fastify.log.error(error);

        reply.status(StatusCodes.INTERNAL_SERVER_ERROR).send({
          error: ReasonPhrases.INTERNAL_SERVER_ERROR,
          code: 'AUTH_FAILURE',
        });
      }
    },
  });

  fastify.post('/is-email-available', {
    handler: async (req, res) => {
      const { email } = req.body;

      const available = await userService.isEmailAvailable(email);

      res.status(StatusCodes.OK).send({ available });
    },
  });

// registered /auth route
 fastify.route({
    method: ['GET', 'POST'],
    url: '/*',
    async handler(request, reply) {
      try {
        const url = new URL(request.url, `http://${request.headers.host}`);

        const headers = new Headers();

        Object.entries(request.headers).forEach(([key, value]) => {
          if (value) headers.append(key, value.toString());
        });

        const req = new Request(url.toString(), {
          method: request.method,
          headers,
          body: request.body ? JSON.stringify(request.body) : undefined,
        });

        const response = await auth.handler(req);

        reply.status(response.status);

        response.headers.forEach((value, key) => reply.header(key, value));

        reply.send(response.body ? await response.text() : null);
      } catch (error) {
        fastify.log.error('Authentication Error:');
        fastify.log.error(error);

        reply.status(StatusCodes.INTERNAL_SERVER_ERROR).send({
          error: ReasonPhrases.INTERNAL_SERVER_ERROR,
          code: 'AUTH_FAILURE',
        });
      }
    },
  });

  fastify.post('/is-email-available', {
    handler: async (req, res) => {
      const { email } = req.body;

      const available = await userService.isEmailAvailable(email);

      res.status(StatusCodes.OK).send({ available });
    },
  });

// registered /auth route
 fastify.route({
    method: ['GET', 'POST'],
    url: '/*',
    async handler(request, reply) {
      try {
        const url = new URL(request.url, `http://${request.headers.host}`);

        const headers = new Headers();

        Object.entries(request.headers).forEach(([key, value]) => {
          if (value) headers.append(key, value.toString());
        });

        const req = new Request(url.toString(), {
          method: request.method,
          headers,
          body: request.body ? JSON.stringify(request.body) : undefined,
        });

        const response = await auth.handler(req);

        reply.status(response.status);

        response.headers.forEach((value, key) => reply.header(key, value));

        reply.send(response.body ? await response.text() : null);
      } catch (error) {
        fastify.log.error('Authentication Error:');
        fastify.log.error(error);

        reply.status(StatusCodes.INTERNAL_SERVER_ERROR).send({
          error: ReasonPhrases.INTERNAL_SERVER_ERROR,
          code: 'AUTH_FAILURE',
        });
      }
    },
  });

  fastify.post('/is-email-available', {
    handler: async (req, res) => {
      const { email } = req.body;

      const available = await userService.isEmailAvailable(email);

      res.status(StatusCodes.OK).send({ available });
    },
  });

// registered /auth route
 fastify.route({
    method: ['GET', 'POST'],
    url: '/*',
    async handler(request, reply) {
      try {
        const url = new URL(request.url, `http://${request.headers.host}`);

        const headers = new Headers();

        Object.entries(request.headers).forEach(([key, value]) => {
          if (value) headers.append(key, value.toString());
        });

        const req = new Request(url.toString(), {
          method: request.method,
          headers,
          body: request.body ? JSON.stringify(request.body) : undefined,
        });

        const response = await auth.handler(req);

        reply.status(response.status);

        response.headers.forEach((value, key) => reply.header(key, value));

        reply.send(response.body ? await response.text() : null);
      } catch (error) {
        fastify.log.error('Authentication Error:');
        fastify.log.error(error);

        reply.status(StatusCodes.INTERNAL_SERVER_ERROR).send({
          error: ReasonPhrases.INTERNAL_SERVER_ERROR,
          code: 'AUTH_FAILURE',
        });
      }
    },
  });

  fastify.post('/is-email-available', {
    handler: async (req, res) => {
      const { email } = req.body;

      const available = await userService.isEmailAvailable(email);

      res.status(StatusCodes.OK).send({ available });
    },
  });

so apiurl.com/auth/is-email-available is a route. when i request it, rate limits dont seem to appear, however, auth routes show rate limiting

B

Better Auth•11/29/25, 3:11 AM

It looks like you’re seeing rate limiting only on routes processed through the Better Auth handler and not on your stand‐alone Fastify route. In your configuration, Better Auth is set up with a basePath of "/auth" and has custom rules for both "/auth/is-email-available" and "/is-email-available". However, your Fastify route is registered separately as a POST on "/is-email-available" (outside the auth handler) while the auth catch‐all route (at "/auth/*") is the one that applies Better Auth’s rate limit logic [2].

In short, Better Auth only applies its rate limiting to requests that go through its own handler (via the catch‐all route). If you call your custom route (registered directly on Fastify as "/is-email-available"), those requests bypass Better Auth’s rate limiting logic. You might consider either:

Moving your email availability check inside the Better Auth handler (so the request goes through Better Auth and the custom rate limit rule is enforced), or
Applying a separate rate limit mechanism on your standalone Fastify route.

Does that help clarify things? Would you like more guidance on integrating this route with Better Auth or troubleshooting custom rate limit rules further?

Sources:
[2] Rate Limit | Better Auth

— Better Auth is powered by https://clarm.com

Rate Limit | Better Auth

How to limit the number of requests a user can make to the server in a given time period.

J

JarenOP•11/29/25, 3:12 AM

ah

J

JarenOP•11/29/25, 3:12 AM

great thinking

Solution

J

Jaren•11/29/25, 3:21 AM

ah plugins

custom routes added to auth route arent rate limit protected

Similar Threads

Similar Threads

Similar Threads