fix: update admin security control plane request check to include settings and config paths

2026-02-13 07:55:22 +00:00
parent 7308c03a99
commit 9628c305bc
2 changed files with 32 additions and 1 deletions
--- a/backend/internal/cerberus/rate_limit.go
+++ b/backend/internal/cerberus/rate_limit.go
@@ -32,7 +32,9 @@ func isAdminSecurityControlPlaneRequest(ctx *gin.Context) bool {
 		}
 	}

-	return strings.HasPrefix(parsedPath, "/api/v1/security/")
+	return strings.HasPrefix(parsedPath, "/api/v1/security/") ||
+		strings.HasPrefix(parsedPath, "/api/v1/settings") ||
+		strings.HasPrefix(parsedPath, "/api/v1/config")
 }

 // rateLimitManager manages per-IP rate limiters.
--- a/backend/internal/cerberus/rate_limit_test.go
+++ b/backend/internal/cerberus/rate_limit_test.go
@@ -392,6 +392,35 @@ func TestCerberusRateLimitMiddleware_AdminSecurityControlPlaneBypass(t *testing.
 	}
 }

+func TestCerberusRateLimitMiddleware_AdminSettingsBypass(t *testing.T) {
+	cfg := config.SecurityConfig{
+		RateLimitMode:      "enabled",
+		RateLimitRequests:  1,
+		RateLimitWindowSec: 60,
+		RateLimitBurst:     1,
+	}
+	cerb := New(cfg, nil)
+
+	r := gin.New()
+	r.Use(func(c *gin.Context) {
+		c.Set("role", "admin")
+		c.Set("userID", uint(1))
+		c.Next()
+	})
+	r.Use(cerb.RateLimitMiddleware())
+	r.POST("/api/v1/settings", func(c *gin.Context) {
+		c.Status(http.StatusOK)
+	})
+
+	for i := 0; i < 3; i++ {
+		req, _ := http.NewRequest("POST", "/api/v1/settings", nil)
+		req.RemoteAddr = "10.0.0.1:1234"
+		w := httptest.NewRecorder()
+		r.ServeHTTP(w, req)
+		assert.Equal(t, http.StatusOK, w.Code)
+	}
+}
+
 func TestCerberusRateLimitMiddleware_AdminNonSecurityPathStillLimited(t *testing.T) {
 	cfg := config.SecurityConfig{
 		RateLimitMode:      "enabled",