fix: exclude UI static assets from rate limiting BED-8327

[elikmiller]

Description

Move the /ui static asset prefix out of the DefaultRateLimitMiddleware group in RegisterFossRoutes so a single UI page load — which can request many HTML/JS/CSS/media assets — is not throttled by the per-IP API rate limiter. While reordering, also switch the literal "/ui" to the existing api.UserInterfacePath constant to keep the path defined in one place.

Auth and other global middleware (panic handler, auth middleware, compression, logging) continue to apply, since those are registered via UsePrerouting / UsePostrouting rather than the per-route router.With(...) rate-limiter wrapper.

Motivation and Context

Resolves BED-8327

Users have reported intermittent missing images and 429s on remediation pages with heavy screenshots (e.g. ESC1 documentation). The static asset route was previously inside the default rate-limited group, which trips the limiter whenever the UI fetches many assets at once — especially when react-query refetches on tab focus.

This PR handles the static asset / UI path. The companion change in bloodhound-enterprise covers the /api/v2/assets BHE finding-asset prefix and the UI-side refetchOnWindowFocus / memoization fixes.

How Has This Been Tested?

• Existing unit tests in cmd/api/src/api/middleware/rate_limit_test.go already cover the rate-limiter middleware itself (TestRateLimitMiddleware, TestDefaultRateLimitMiddleware). This PR only changes route registration, not the middleware, so no new middleware tests were added.
• Ran just prepare-for-codereview — clean tree, no codegen / license / format drift.

Screenshots (optional):

n/a

Types of changes

• Bug fix (non-breaking change which fixes an issue)

Checklist:

• I have met the contributing prerequisites
  • Assigned myself to this PR
  • Added the appropriate labels
  • Associated an issue: BED-8327
  • Read the Contributing guide: https://github.com/SpecterOps/BloodHound/wiki/Contributing
• I have ensured that related documentation is up-to-date
  • Open API docs — n/a (no API surface change)
  • Code comments — added a comment on the route explaining why it sits outside the rate-limited group
• I have followed proper test practices
  • Added/updated tests to cover my changes — n/a, see "How Has This Been Tested?"
  • All new and existing tests passed

Summary by CodeRabbit

• Bug Fixes
  • Updated routing for user interface static resources.

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Repository YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Pro

Run ID: 61d00d5d-c248-4c11-92c2-8aaa6b445ffe

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

📝 Walkthrough

Walkthrough

The PR adjusts the registration of UI static asset routes by moving the static handler outside the default API rate limiter middleware block. Previously, the route was mounted using a hardcoded path within the middleware wrapper; it is now registered separately with the configured UI path constant, removing rate limiting from static asset serving.

Changes

UI Static Asset Routing

Layer / File(s)	Summary
Remove static assets from default API rate limiter cmd/api/src/api/registration/registration.go	The routerInst.PathPrefix call for the UI static asset handler is repositioned outside the router.With(...) middleware block, changing which middleware is applied to static assets and using api.UserInterfacePath instead of a hardcoded "/ui" string.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and concisely summarizes the main change: excluding UI static assets from rate limiting. It includes the ticket reference (BED-8327) for context.
Description check	✅ Passed	The PR description covers all required sections: a detailed description of changes, motivation and context with ticket resolution (BED-8327), testing approach with rationale for not adding new tests, change type (bug fix), and a completed checklist with all items marked.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch bed-8327-remediation-assets-rate-limit

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}