From c15393bccff8cd5533eb91ee7d89e7b99066cae5 Mon Sep 17 00:00:00 2001
From: Pulse Monitor <pulse@pulse-monitor.dev>
Date: Sun, 17 Aug 2025 07:08:42 +0000
Subject: [PATCH] fix: prevent setup screen showing on rate limit and exclude
 status checks from auth rate limiting

- Login component now handles 429 rate limit responses correctly
- When rate limited, assume auth is configured and show login form
- /api/security/status endpoint excluded from strict auth rate limiting
- Status checks now use general API rate limit (500/min) instead of auth limit (10/min)
- Fixes issue where rapid logout/login could trigger rate limiting
- Fixes setup screen appearing incorrectly when rate limited
---
 frontend-modern/src/components/Login.tsx | 4 ++++
 internal/api/router.go                   | 4 ++--
 2 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/frontend-modern/src/components/Login.tsx b/frontend-modern/src/components/Login.tsx
index 4a5def36b..533e6ecf7 100644
--- a/frontend-modern/src/components/Login.tsx
+++ b/frontend-modern/src/components/Login.tsx
@@ -34,6 +34,10 @@ export const Login: Component<LoginProps> = (props) => {
         const data = await response.json();
         console.log('[Login] Auth status data:', data);
         setAuthStatus(data);
+      } else if (response.status === 429) {
+        // Rate limited - wait a bit and assume auth is configured
+        console.log('[Login] Rate limited, assuming auth is configured');
+        setAuthStatus({ hasAuthentication: true });
       } else {
         console.log('[Login] Auth check failed, assuming no auth');
         // On error, assume no auth configured
diff --git a/internal/api/router.go b/internal/api/router.go
index e74845d77..8e75ec031 100644
--- a/internal/api/router.go
+++ b/internal/api/router.go
@@ -763,8 +763,8 @@ func (r *Router) ServeHTTP(w http.ResponseWriter, req *http.Request) {
 				}
 			}
 			
-			// Apply stricter rate limiting for auth endpoints
-			if strings.Contains(req.URL.Path, "/api/security/") || req.URL.Path == "/api/login" {
+			// Apply stricter rate limiting for auth endpoints (but not status checks)
+			if (strings.Contains(req.URL.Path, "/api/security/") && req.URL.Path != "/api/security/status") || req.URL.Path == "/api/login" {
 				clientIP := GetClientIP(req)
 				// Use auth limiter for security endpoints (10 per minute)
 				if !authLimiter.Allow(clientIP) {