From 51bf7930cbd88dc73996348bf536bd4c2868cb04 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E5=A4=A7=E5=93=A5=20=28Big=20Brother=29?=
 <daoistbrother@outlook.com>
Date: Mon, 2 Feb 2026 03:58:02 +0000
Subject: [PATCH] Fix rate limiting: extract token from header before auth
 middleware runs

The requestLimiter middleware runs BEFORE requireAuth, so req.token is not set yet.
This causes POST endpoints to fail with 'Authentication required' because the
rate limiter extracts an undefined token, affecting the request flow.

Fix: Directly extract token from Authorization header in getKey() function.

Fixes #60
---
 src/middleware/rateLimit.js | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/src/middleware/rateLimit.js b/src/middleware/rateLimit.js
index 1ec7ca4..c45c927 100644
--- a/src/middleware/rateLimit.js
+++ b/src/middleware/rateLimit.js
@@ -28,9 +28,13 @@ setInterval(() => {
 
 /**
  * Get rate limit key from request
+ * Note: This runs BEFORE requireAuth, so we must read directly from headers
  */
 function getKey(req, limitType) {
-  const identifier = req.token || req.ip || 'anonymous';
+  // Extract token directly from header since req.token isn't set yet
+  const auth = req.headers.authorization;
+  const token = auth && auth.startsWith('Bearer ') ? auth.slice(7) : null;
+  const identifier = token || req.ip || 'anonymous';
   return `rl:${limitType}:${identifier}`;
 }