Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 3 additions & 2 deletions backend/src/entities/company-info/company-info.controller.ts
Original file line number Diff line number Diff line change
Expand Up @@ -210,7 +210,7 @@ export class CompanyInfoController {
type: FoundUserFullCompanyInfoDs,
})
@UseGuards(CompanyUserGuard)
@Throttle({ default: { limit: isTest() ? 200 : 5, ttl: 60000 } })
@Throttle({ default: { limit: isTest() ? 200 : 10, ttl: 60000 } })
@Get('my/full')
async getUserCompanies(@UserId() userId: string): Promise<FoundUserCompanyInfoDs | FoundUserFullCompanyInfoDs> {
Comment on lines +213 to 215

Copilot AI Feb 9, 2026

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The same inline throttle configuration pattern (ttl 60000, isTest() ? 200 : ...) is repeated for multiple endpoints. Consider centralizing these throttle presets (e.g., constants/factory) to avoid divergence when limits are tuned in the future.

Copilot uses AI. Check for mistakes.
return await this.getUserFullCompanyInfoUseCase.execute(userId);
Expand All @@ -224,7 +224,7 @@ export class CompanyInfoController {
type: InvitedUserInCompanyAndConnectionGroupDs,
})
@UseGuards(CompanyAdminGuard)
@Throttle({ default: { limit: isTest() ? 200 : 10, ttl: 60000 } })
@Throttle({ default: { limit: isTest() ? 200 : 15, ttl: 60000 } })
@Put('user/:companyId')
async inviteUserInCompanyAndConnectionGroup(
@UserId() userId: string,
Expand Down Expand Up @@ -294,6 +294,7 @@ export class CompanyInfoController {
description: 'User was successfully invited.',
type: TokenExpirationResponseDto,
})
@Throttle({ default: { limit: isTest() ? 200 : 5, ttl: 60000 } })
@Post('/invite/verify/:verificationString')
async verifyCompanyInvitation(
@Req() request: Request,
Expand Down
10 changes: 8 additions & 2 deletions backend/src/entities/user/user.controller.ts
Original file line number Diff line number Diff line change
Expand Up @@ -145,7 +145,7 @@ export class UserController {
description: 'Login successful.',
type: TokenExpDs,
})
@Throttle({ default: { limit: isTest() ? 200 : 5, ttl: 60000 } })
@Throttle({ default: { limit: isTest() ? 200 : 10, ttl: 60000 } })
@Post('user/login/')
async usualLogin(
@Res({ passthrough: true }) response: Response,
Expand Down Expand Up @@ -252,6 +252,7 @@ export class UserController {
description: 'Email verification requested.',
type: OperationResultMessageDs,
})
@Throttle({ default: { limit: isTest() ? 200 : 5, ttl: 60000 } })
@Get('user/email/verify/request')

Copilot AI Feb 9, 2026

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

GET user/email/verify/request appears to trigger a side effect (sending an email verification). Using GET for state-changing operations can lead to unintended requests (e.g., prefetching/crawlers) and makes caching semantics unsafe. Consider switching this endpoint to POST (or otherwise ensuring it is truly safe/idempotent and not cacheable).

Suggested change
@Get('user/email/verify/request')
@Post('user/email/verify/request')

Copilot uses AI. Check for mistakes.
async requestEmailVerification(@UserId() userId: string): Promise<OperationResultMessageDs> {
return await this.requestEmailVerificationUseCase.execute(userId, InTransactionEnum.ON);
Expand All @@ -263,21 +264,22 @@ export class UserController {
description: 'Email verified.',
type: OperationResultMessageDs,
})
@Throttle({ default: { limit: isTest() ? 200 : 5, ttl: 60000 } })
@Get('user/email/verify/:verificationString')
async verifyEmail(
Comment on lines +267 to 269

Copilot AI Feb 9, 2026

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The throttle configuration object (ttl 60000, isTest() ? 200 : ...) is duplicated across multiple handlers in this controller, which increases the chance of inconsistent limits when changes are needed. Consider extracting shared throttle presets/helpers (e.g., 5/min, 10/min) into a constant or small factory to keep these values centralized.

Copilot uses AI. Check for mistakes.
@VerificationString('verificationString') verificationString: string,
): Promise<OperationResultMessageDs> {
return await this.verifyEmailUseCase.execute(verificationString, InTransactionEnum.ON);
}

//todo: make admin endpoint
@ApiOperation({ summary: 'Verify user password reset' })
@ApiBody({ type: PasswordDto })
@ApiResponse({
status: 201,
description: 'Password reset verified.',
type: RegisteredUserDs,
})
@Throttle({ default: { limit: isTest() ? 200 : 5, ttl: 60000 } })
@Post('user/password/reset/verify/:verificationString')
async resetUserPassword(
@Body() passwordData: PasswordDto,
Expand Down Expand Up @@ -309,6 +311,7 @@ export class UserController {
description: 'Email change requested.',
type: OperationResultMessageDs,
})
@Throttle({ default: { limit: isTest() ? 200 : 5, ttl: 60000 } })
@Get('user/email/change/request/')

Copilot AI Feb 9, 2026

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

GET user/email/change/request/ appears to trigger a side effect (sending an email change verification). Using GET for state-changing operations can lead to unintended requests (prefetching/crawlers) and makes caching semantics unsafe. Consider switching this endpoint to POST (or otherwise ensuring it is truly safe/idempotent and not cacheable).

Suggested change
@Get('user/email/change/request/')
@Post('user/email/change/request/')

Copilot uses AI. Check for mistakes.
async askChangeUserEmail(@UserId() userId: string): Promise<OperationResultMessageDs> {
return await this.requestChangeUserEmailUseCase.execute(userId, InTransactionEnum.ON);
Expand All @@ -321,6 +324,7 @@ export class UserController {
description: 'Email change verified.',
type: OperationResultMessageDs,
})
@Throttle({ default: { limit: isTest() ? 200 : 5, ttl: 60000 } })
@Post('user/email/change/verify/:verificationString')
async verifyChangeUserEmail(
@BodyEmail('email') email: string,
Expand Down Expand Up @@ -407,6 +411,7 @@ export class UserController {
description: 'Token verified.',
type: OtpValidationResultDS,
})
@Throttle({ default: { limit: isTest() ? 200 : 10, ttl: 60000 } })
@Post('user/otp/verify/')
async verifyOtp(@UserId() userId: string, @Body() otpTokenData: OtpTokenDto): Promise<OtpValidationResultDS> {
const { otpToken } = otpTokenData;
Expand All @@ -433,6 +438,7 @@ export class UserController {
description: 'Two-factor authentication token validated.',
type: TokenExpDs,
})
@Throttle({ default: { limit: isTest() ? 200 : 10, ttl: 60000 } })
@Post('user/otp/login/')
async validateOtp(
@Req() request: Request,
Expand Down
Loading