Hello! I found a tiny issue.
If I look at the code, it looks the clone has SSO with Google, but we can send HTTP requests to the backend directly without authentication.
It gives rise to excessive use of APIs and bypasses the rate limit middleware.
yeah if you have the link to server you can do direct request to it because the auth is just from the client side and session is not stored in a DB. only clients browser
Hello! I found a tiny issue. If I look at the code, it looks the clone has SSO with Google, but we can send HTTP requests to the backend directly without authentication.
It gives rise to excessive use of APIs and bypasses the rate limit middleware.
wdyt?