fix: throw request limit early

Author: JackHamer09

packages/auth-server-api/src/app.ts

@@ -35,8 +35,8 @@ app.get("/api/health", (_req: Request, res: Response) => {
   res.json({ status: "ok", timestamp: new Date().toISOString() });
 });
 
-// Deploy account endpoint (with Prividium auth middleware when enabled, plus rate limiting)
-app.post("/api/deploy-account", prividiumAuthMiddleware(prividiumConfig), deployLimiter, deployAccountHandler);
+// Deploy account endpoint (rate limiting first, then auth, then handler)
+app.post("/api/deploy-account", deployLimiter, prividiumAuthMiddleware(prividiumConfig), deployAccountHandler);
 
 // Global error handler
 // eslint-disable-next-line @typescript-eslint/no-unused-vars

packages/auth-server-api/src/middleware/rate-limit.ts

@@ -5,7 +5,8 @@ import { rateLimitConfig } from "../config.js";
 
 /**
  * Rate limiter for the deploy-account endpoint.
- * Uses Prividium userId when available, falls back to IP address.
+ * Runs before authentication to avoid expensive operations when rate limited.
+ * Uses IP-based limiting.
  */
 export const deployLimiter = rateLimit({
   windowMs: rateLimitConfig.deployWindowMs,
@@ -14,11 +15,6 @@ export const deployLimiter = rateLimit({
   legacyHeaders: false,
   message: { error: "Deployment rate limit exceeded, please try again later" },
   keyGenerator: (req: Request) => {
-    // Use Prividium userId if available for per-user limiting
-    if (req.prividiumUser?.userId) {
-      return `user:${req.prividiumUser.userId}`;
-    }
-    // Fall back to IP address when Prividium is disabled
     return req.ip || req.socket.remoteAddress || "unknown";
   },
 });