feat(oauth): add rate limiting to OAuth endpoints

- Add express-rate-limit for OAuth initiation (10 req/min) and callback (30 req/min)
- Skip rate limiting in development/test environments
- Update tests with rate limiter mock

Addresses PR #1141 Follow-up #3: OAuth rate limiting

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

Author: theothersideofgod

graphql/server/package.json

@@ -58,6 +58,7 @@
     "cors": "^2.8.6",
     "deepmerge": "^4.3.1",
     "express": "^5.2.1",
+    "express-rate-limit": "^8.5.1",
     "gql-ast": "workspace:^",
     "grafast": "1.0.0",
     "grafserv": "1.0.0",

graphql/server/src/middleware/__tests__/oauth.test.ts

@@ -28,6 +28,10 @@ jest.mock('@pgpmjs/logger', () => ({
   })),
 }));
 
+jest.mock('express-rate-limit', () => {
+  return jest.fn(() => (_req: any, _res: any, next: any) => next());
+});
+
 // Import after mocks
 import { createOAuthRoutes } from '../oauth';
 import { OAuthClient } from '@constructive-io/oauth';
@@ -112,6 +116,27 @@ describe('OAuth Middleware', () => {
       // Should have 4 routes: /providers, /error, /:provider, /:provider/callback
       expect(router.stack.length).toBe(4);
     });
+
+    it('applies rate limiting to OAuth initiation and callback routes', () => {
+      const router = createOAuthRoutes(mockOpts as any);
+
+      const initiateRoute = router.stack.find(
+        (layer: any) => layer.route?.path === '/:provider' && layer.route?.methods?.get
+      );
+      const callbackRoute = router.stack.find(
+        (layer: any) => layer.route?.path === '/:provider/callback'
+      );
+      const providersRoute = router.stack.find(
+        (layer: any) => layer.route?.path === '/providers'
+      );
+
+      // Initiate and callback routes should have 2 handlers (rate limiter + handler)
+      expect(initiateRoute!.route.stack.length).toBe(2);
+      expect(callbackRoute!.route.stack.length).toBe(2);
+
+      // Providers route should have 1 handler (no rate limiting)
+      expect(providersRoute!.route.stack.length).toBe(1);
+    });
   });
 
   describe('Providers Endpoint', () => {
@@ -126,7 +151,7 @@ describe('OAuth Middleware', () => {
       const providersRoute = router.stack.find(
         (layer: any) => layer.route?.path === '/providers'
       );
-      const handler = providersRoute!.route.stack[0].handle;
+      const handler = providersRoute!.route.stack.slice(-1)[0].handle;
 
       await handler(req, res, jest.fn());
 
@@ -152,7 +177,7 @@ describe('OAuth Middleware', () => {
       const providersRoute = router.stack.find(
         (layer: any) => layer.route?.path === '/providers'
       );
-      const handler = providersRoute!.route.stack[0].handle;
+      const handler = providersRoute!.route.stack.slice(-1)[0].handle;
 
       await handler(req, res, jest.fn());
 
@@ -177,7 +202,7 @@ describe('OAuth Middleware', () => {
       const initiateRoute = router.stack.find(
         (layer: any) => layer.route?.path === '/:provider' && layer.route?.methods?.get
       );
-      const handler = initiateRoute!.route.stack[0].handle;
+      const handler = initiateRoute!.route.stack.slice(-1)[0].handle;
 
       await handler(req, res, jest.fn());
 
@@ -213,7 +238,7 @@ describe('OAuth Middleware', () => {
       const initiateRoute = router.stack.find(
         (layer: any) => layer.route?.path === '/:provider' && layer.route?.methods?.get
       );
-      const handler = initiateRoute!.route.stack[0].handle;
+      const handler = initiateRoute!.route.stack.slice(-1)[0].handle;
 
       await handler(req, res, jest.fn());
 
@@ -253,7 +278,7 @@ describe('OAuth Middleware', () => {
       const initiateRoute = router.stack.find(
         (layer: any) => layer.route?.path === '/:provider' && layer.route?.methods?.get
       );
-      const handler = initiateRoute!.route.stack[0].handle;
+      const handler = initiateRoute!.route.stack.slice(-1)[0].handle;
 
       await handler(req, res, jest.fn());
 
@@ -312,7 +337,7 @@ describe('OAuth Middleware', () => {
       const callbackRoute = router.stack.find(
         (layer: any) => layer.route?.path === '/:provider/callback'
       );
-      const handler = callbackRoute!.route.stack[0].handle;
+      const handler = callbackRoute!.route.stack.slice(-1)[0].handle;
 
       await handler(req, res, jest.fn());
 
@@ -334,7 +359,7 @@ describe('OAuth Middleware', () => {
       const callbackRoute = router.stack.find(
         (layer: any) => layer.route?.path === '/:provider/callback'
       );
-      const handler = callbackRoute!.route.stack[0].handle;
+      const handler = callbackRoute!.route.stack.slice(-1)[0].handle;
 
       await handler(req, res, jest.fn());
 
@@ -362,7 +387,7 @@ describe('OAuth Middleware', () => {
       const callbackRoute = router.stack.find(
         (layer: any) => layer.route?.path === '/:provider/callback'
       );
-      const handler = callbackRoute!.route.stack[0].handle;
+      const handler = callbackRoute!.route.stack.slice(-1)[0].handle;
 
       await handler(req, res, jest.fn());
 
@@ -383,7 +408,7 @@ describe('OAuth Middleware', () => {
       const callbackRoute = router.stack.find(
         (layer: any) => layer.route?.path === '/:provider/callback'
       );
-      const handler = callbackRoute!.route.stack[0].handle;
+      const handler = callbackRoute!.route.stack.slice(-1)[0].handle;
 
       await handler(req, res, jest.fn());
 
@@ -457,7 +482,7 @@ describe('OAuth Middleware', () => {
       const callbackRoute = router.stack.find(
         (layer: any) => layer.route?.path === '/:provider/callback'
       );
-      const handler = callbackRoute!.route.stack[0].handle;
+      const handler = callbackRoute!.route.stack.slice(-1)[0].handle;
 
       await handler(req, res, jest.fn());
 
@@ -536,7 +561,7 @@ describe('OAuth Middleware', () => {
       const callbackRoute = router.stack.find(
         (layer: any) => layer.route?.path === '/:provider/callback'
       );
-      const handler = callbackRoute!.route.stack[0].handle;
+      const handler = callbackRoute!.route.stack.slice(-1)[0].handle;
 
       await handler(req, res, jest.fn());
 
@@ -628,7 +653,7 @@ describe('OAuth Middleware', () => {
       const callbackRoute = router.stack.find(
         (layer: any) => layer.route?.path === '/:provider/callback'
       );
-      const handler = callbackRoute!.route.stack[0].handle;
+      const handler = callbackRoute!.route.stack.slice(-1)[0].handle;
 
       await handler(req, res, jest.fn());
 
@@ -706,7 +731,7 @@ describe('OAuth Middleware', () => {
       const callbackRoute = router.stack.find(
         (layer: any) => layer.route?.path === '/:provider/callback'
       );
-      const handler = callbackRoute!.route.stack[0].handle;
+      const handler = callbackRoute!.route.stack.slice(-1)[0].handle;
 
       await handler(req, res, jest.fn());
 
@@ -787,7 +812,7 @@ describe('OAuth Middleware', () => {
       const callbackRoute = router.stack.find(
         (layer: any) => layer.route?.path === '/:provider/callback'
       );
-      const handler = callbackRoute!.route.stack[0].handle;
+      const handler = callbackRoute!.route.stack.slice(-1)[0].handle;
 
       await handler(req, res, jest.fn());
 
@@ -865,7 +890,7 @@ describe('OAuth Middleware', () => {
       const callbackRoute = router.stack.find(
         (layer: any) => layer.route?.path === '/:provider/callback'
       );
-      const handler = callbackRoute!.route.stack[0].handle;
+      const handler = callbackRoute!.route.stack.slice(-1)[0].handle;
 
       await handler(req, res, jest.fn());
 
@@ -919,7 +944,7 @@ describe('OAuth Middleware', () => {
       const initiateRoute = router.stack.find(
         (layer: any) => layer.route?.path === '/:provider' && layer.route?.methods?.get
       );
-      const handler = initiateRoute!.route.stack[0].handle;
+      const handler = initiateRoute!.route.stack.slice(-1)[0].handle;
 
       await handler(req, res, jest.fn());
 

graphql/server/src/middleware/oauth.ts

@@ -1,5 +1,6 @@
 import crypto from 'crypto';
 import { Router, Request, Response } from 'express';
+import rateLimit from 'express-rate-limit';
 import { OAuthClient, OAuthProfile } from '@constructive-io/oauth';
 import { Logger } from '@pgpmjs/logger';
 import { Pool } from 'pg';
@@ -238,6 +239,27 @@ export function createOAuthRoutes(opts: ConstructiveOptions): Router {
   const allowSignup = oauthConfig?.allowSignup ?? true;
   const requireVerifiedEmail = oauthConfig?.requireVerifiedEmail ?? true;
 
+  // Rate limiters for OAuth endpoints (disabled in development/test)
+  const skipRateLimit = process.env.NODE_ENV === 'development' || process.env.NODE_ENV === 'test';
+
+  const oauthInitLimiter = rateLimit({
+    windowMs: 60 * 1000, // 1 minute
+    max: 10, // 10 requests per minute per IP
+    skip: () => skipRateLimit,
+    message: { error: 'TOO_MANY_REQUESTS', message: 'Too many OAuth requests, please try again later' },
+    standardHeaders: true,
+    legacyHeaders: false,
+  });
+
+  const oauthCallbackLimiter = rateLimit({
+    windowMs: 60 * 1000, // 1 minute
+    max: 30, // 30 requests per minute per IP
+    skip: () => skipRateLimit,
+    message: { error: 'TOO_MANY_REQUESTS', message: 'Too many OAuth callback requests, please try again later' },
+    standardHeaders: true,
+    legacyHeaders: false,
+  });
+
   // GET /auth/providers - List available providers from database
   router.get('/providers', async (req: Request, res: Response) => {
     if (!req.api?.rlsModule?.privateSchema?.schemaName) {
@@ -264,7 +286,7 @@ export function createOAuthRoutes(opts: ConstructiveOptions): Router {
   });
 
   // GET /auth/:provider - Initiate OAuth flow
-  router.get('/:provider', async (req: Request, res: Response) => {
+  router.get('/:provider', oauthInitLimiter, async (req: Request, res: Response) => {
     const { provider } = req.params;
     const redirectUri = (req.query.redirect_uri as string) || '/';
 
@@ -326,7 +348,7 @@ export function createOAuthRoutes(opts: ConstructiveOptions): Router {
   });
 
   // GET /auth/:provider/callback - Handle OAuth callback
-  router.get('/:provider/callback', async (req: Request, res: Response) => {
+  router.get('/:provider/callback', oauthCallbackLimiter, async (req: Request, res: Response) => {
     const { provider } = req.params;
     const { code, state, error: oauthError, error_description } = req.query;