From b9de77e9127bcb3639739a20289104fe3f323d43 Mon Sep 17 00:00:00 2001
From: R44VC0RP <n01508660@unf.edu>
Date: Mon, 2 Feb 2026 12:28:16 -0500
Subject: [PATCH] fix: disable Better Auth API key rate limits

Better Auth's per-key rate limiting was causing misleading 401 errors
when users exceeded the 4 req/sec limit. The error said 'Authentication
required' instead of indicating rate limiting.

Rate limiting is now handled solely by Upstash Redis in the E2 middleware
(app/api/e2/lib/auth.ts) which:
- Returns proper 429 status codes
- Includes standard rate limit headers (X-RateLimit-*, Retry-After)
- Uses sliding window algorithm (10 req/sec per user)
- Doesn't require DB writes on every request

Fixes intermittent 401 errors reported when deleting email addresses via API.
---
 lib/auth/auth.ts | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/lib/auth/auth.ts b/lib/auth/auth.ts
index 900626aa..5f2189c4 100644
--- a/lib/auth/auth.ts
+++ b/lib/auth/auth.ts
@@ -232,10 +232,10 @@ export const auth = betterAuth({
 							: undefined,
 		}),
 		apiKey({
+			// Rate limiting disabled - handled by Upstash in E2 middleware (app/api/e2/lib/auth.ts)
+			// This avoids duplicate rate limiting and ensures proper 429 responses instead of 401
 			rateLimit: {
-				enabled: true,
-				timeWindow: 1000, // 1 second in milliseconds
-				maxRequests: 4, // 4 requests per second
+				enabled: false,
 			},
 		}),
 		admin(),