Exclude public API endpoints from rate limiting

packages/backend/src/index.ts

@@ -93,7 +93,19 @@ const apiKeyRouter = apiKeyRoutes(authService);
 app.use('/v1/upload', uploadRouter);
 
 // Middleware for all other routes
-app.use(rateLimiter);
+app.use((req, res, next) => {
+	// exclude certain API endpoints from the rate limiter, for example status, system settings
+	const excludedPatterns = [
+		/^\/v\d+\/auth\/status$/,
+		/^\/v\d+\/settings\/system$/
+	];
+	for (const pattern of excludedPatterns) {
+		if (pattern.test(req.path)) {
+			return next();
+		}
+	}
+	rateLimiter(req, res, next);
+});
 app.use(express.json());
 app.use(express.urlencoded({ extended: true }));
 

packages/frontend/src/routes/+layout.server.ts

@@ -6,8 +6,9 @@ import type { SystemSettings } from '@open-archiver/types';
 
 export const load: LayoutServerLoad = async (event) => {
 	const { locals, url } = event;
-	try {
-		const response = await api('/auth/status', event);
+	const response = await api('/auth/status', event);
+
+	if (response.ok) {
 		const { needsSetup } = await response.json();
 
 		if (needsSetup && url.pathname !== '/setup') {
@@ -17,19 +18,24 @@ export const load: LayoutServerLoad = async (event) => {
 		if (!needsSetup && url.pathname === '/setup') {
 			throw redirect(307, '/signin');
 		}
-	} catch (error) {
-		throw error;
+	} else {
+		// if auth status check fails, we can't know if the setup is complete,
+		// so we redirect to signin page as a safe fallback.
+		if (url.pathname !== '/signin') {
+			console.error('Failed to get auth status:', await response.text());
+			throw redirect(307, '/signin');
+		}
 	}
 
-	const settingsResponse = await api('/settings', event);
-	const settings: SystemSettings | null = settingsResponse.ok
-		? await settingsResponse.json()
+	const systemSettingsResponse = await api('/settings/system', event);
+	const systemSettings: SystemSettings | null = systemSettingsResponse.ok
+		? await systemSettingsResponse.json()
 		: null;
 
 	return {
 		user: locals.user,
 		accessToken: locals.accessToken,
 		isDemo: process.env.IS_DEMO === 'true',
-		settings,
+		systemSettings,
 	};
 };

packages/frontend/src/routes/+layout.svelte

@@ -18,7 +18,7 @@
 			let finalTheme = $theme;
 
 			if (finalTheme === 'system') {
-				finalTheme = data.settings?.theme || 'system';
+				finalTheme = data.systemSettings?.theme || 'system';
 			}
 
 			const isDark =

packages/frontend/src/routes/+layout.ts

@@ -8,8 +8,8 @@ export const load: LayoutLoad = async ({ url, data }) => {
 
 	let initLocale: SupportedLanguage = 'en'; // Default fallback
 
-	if (data.settings?.language) {
-		initLocale = data.settings.language;
+	if (data.systemSettings?.language) {
+		initLocale = data.systemSettings.language;
 	}
 
 	console.log(initLocale);

packages/frontend/src/routes/dashboard/settings/system/+page.server.ts

@@ -11,9 +11,9 @@ export const load: PageServerLoad = async (event) => {
 		throw error(response.status, message || 'Failed to fetch system settings');
 	}
 
-	const settings: SystemSettings = await response.json();
+	const systemSettings: SystemSettings = await response.json();
 	return {
-		settings,
+		systemSettings,
 	};
 };
 

packages/frontend/src/routes/dashboard/settings/system/+page.svelte

@@ -11,7 +11,7 @@
 	import { t } from '$lib/translations';
 
 	let { data, form }: { data: PageData; form: any } = $props();
-	let settings = $state(data.settings);
+	let settings = $state(data.systemSettings);
 	let isSaving = $state(false);
 
 	const languageOptions: { value: SupportedLanguage; label: string }[] = [