From b885d89ae49a3cffb2394ac9038ef84a8f9e152a Mon Sep 17 00:00:00 2001
From: admin <admin@thebunkerops.ca>
Date: Mon, 11 Aug 2025 14:16:44 -0600
Subject: [PATCH] Fixed admin rate issues

---
 map/app/middleware/rateLimiter.js | 24 ++++++++++++++++++++----
 map/app/routes/auth.js            |  6 ++++++
 2 files changed, 26 insertions(+), 4 deletions(-)

diff --git a/map/app/middleware/rateLimiter.js b/map/app/middleware/rateLimiter.js
index 08bd3f9..e94a5e6 100644
--- a/map/app/middleware/rateLimiter.js
+++ b/map/app/middleware/rateLimiter.js
@@ -28,16 +28,20 @@ const strictLimiter = rateLimit({
     message: 'Too many write operations, please try again later.'
 });
 
-// Auth-specific limiter
+// Auth-specific limiter with admin bypass capability
 const authLimiter = rateLimit({
     windowMs: 15 * 60 * 1000,
-    max: config.isProduction ? 10 : 50,
+    max: config.isProduction ? 30 : 50, // Increased from 10 to 30 for production
     keyGenerator,
     standardHeaders: true,
     legacyHeaders: false,
     trustProxy: true, // Explicitly trust proxy
     message: 'Too many login attempts, please try again later.',
-    skipSuccessfulRequests: true
+    skipSuccessfulRequests: true,
+    skip: (req, res) => {
+        // Skip rate limiting for authenticated admin users on certain admin endpoints
+        return req.session?.isAdmin && req.path?.includes('/admin');
+    }
 });
 
 // Temp user rate limiter - stricter but allows for auto-refresh
@@ -63,10 +67,22 @@ const conditionalTempLimiter = (req, res, next) => {
     return apiLimiter(req, res, next);
 };
 
+// Admin-friendly limiter for admin operations
+const adminLimiter = rateLimit({
+    windowMs: 15 * 60 * 1000, // 15 minutes
+    max: 200, // High limit for admin operations
+    keyGenerator,
+    standardHeaders: true,
+    legacyHeaders: false,
+    trustProxy: true,
+    message: 'Rate limit exceeded for admin operations. Please try again later.'
+});
+
 module.exports = {
     apiLimiter,
     strictLimiter,
     authLimiter,
     tempUserLimiter,
-    conditionalTempLimiter
+    conditionalTempLimiter,
+    adminLimiter
 };
\ No newline at end of file
diff --git a/map/app/routes/auth.js b/map/app/routes/auth.js
index f041300..d98fb4d 100644
--- a/map/app/routes/auth.js
+++ b/map/app/routes/auth.js
@@ -3,10 +3,16 @@ const router = express.Router();
 const authController = require('../controllers/authController');
 const passwordRecoveryController = require('../controllers/passwordRecoveryController');
 const { authLimiter } = require('../middleware/rateLimiter');
+const config = require('../config');
 
 // Login route with rate limiting
 router.post('/login', authLimiter, authController.login);
 
+// Debug login route without rate limiting (only in development or for testing)
+if (!config.isProduction) {
+    router.post('/debug-login', authController.login);
+}
+
 // Password recovery route with rate limiting
 router.post('/recover-password', authLimiter, passwordRecoveryController.requestPassword);