From 6f7de9462307e00942f68826d1f7b89ee9de414b Mon Sep 17 00:00:00 2001
From: Dan Milne <d@nmilne.com>
Date: Wed, 29 Oct 2025 13:55:36 +1100
Subject: [PATCH] Rate limit the forward_auth controller

---
 app/controllers/api/forward_auth_controller.rb | 1 +
 1 file changed, 1 insertion(+)

diff --git a/app/controllers/api/forward_auth_controller.rb b/app/controllers/api/forward_auth_controller.rb
index 9d605cf..2b722df 100644
--- a/app/controllers/api/forward_auth_controller.rb
+++ b/app/controllers/api/forward_auth_controller.rb
@@ -3,6 +3,7 @@ module Api
     # ForwardAuth endpoints need session storage for return URL
     allow_unauthenticated_access
     skip_before_action :verify_authenticity_token
+    rate_limit to: 100, within: 1.minute, only: :verify, with: -> { head :too_many_requests }
 
     # GET /api/verify
     # This endpoint is called by reverse proxies (Traefik, Caddy, nginx)