🔒 fix: allow rateLimit passthrough and merge customRules

Spread customOptions.rateLimit (e.g. enabled, window, storage) into the rateLimit block so callers can configure global settings without losing the default customRules. customRules are deep-merged: caller-supplied rules are appended after the built-in ones.
🔒 fix: add rate limit custom rules for password reset and email verification
2026-06-16 04:25:59 +00:00 · 2026-03-08 12:42:32 +08:00 · 2026-03-08 12:12:04 +08:00
1 changed files with 9 additions and 0 deletions
@@ -90,6 +90,7 @@ async function customEmailValidator(email: string): Promise<boolean> {

 interface CustomBetterAuthOptions {
  plugins: BetterAuthPlugin[];
+  rateLimit?: BetterAuthOptions['rateLimit'];
 }

 export function defineConfig(customOptions: CustomBetterAuthOptions) {
@@ -253,6 +254,14 @@ export function defineConfig(customOptions: CustomBetterAuthOptions) {
        },
      },
    },
+    rateLimit: {
+      ...customOptions.rateLimit,
+      customRules: {
+        '/request-password-reset': { max: 3, window: 60 },
+        '/send-verification-email': { max: 3, window: 60 },
+        ...customOptions.rateLimit?.customRules,
+      },
+    },
    plugins: [
      ...customOptions.plugins,
      emailWhitelist(),