I am using Vercel + Next.js + Convex + Better Auth and discovered that Better Auth's rateLimit config was not behaving as expected.
After a lot of digging I found that the betterAuth/rateLimit table in Convex does contain rate limit entries. However I could not find my IP. Instead found a bunch of IPs that a search suggests belong to CloudFlare reverse proxies. And when I try hitting /get-session from the client 100 times I instead get a bunch of random IPs being incremented.
My hunch is that the @convex-dev/better-auth/nextjs adapter's handler for Next.js is at fault. As it seems to work by fetching a new request without any headers to pass along the IP address.
|
const handler = (request: Request, siteUrl: string) => { |
|
const requestUrl = new URL(request.url); |
|
const nextUrl = `${siteUrl}${requestUrl.pathname}${requestUrl.search}`; |
|
const newRequest = new Request(nextUrl, request); |
|
newRequest.headers.set("accept-encoding", "application/json"); |
|
newRequest.headers.set("host", new URL(siteUrl).host); |
|
return fetch(newRequest, { method: request.method, redirect: "manual" }); |
|
}; |
I am using Vercel + Next.js + Convex + Better Auth and discovered that Better Auth's rateLimit config was not behaving as expected.
After a lot of digging I found that the
betterAuth/rateLimittable in Convex does contain rate limit entries. However I could not find my IP. Instead found a bunch of IPs that a search suggests belong to CloudFlare reverse proxies. And when I try hitting/get-sessionfrom the client 100 times I instead get a bunch of random IPs being incremented.My hunch is that the
@convex-dev/better-auth/nextjsadapter's handler for Next.js is at fault. As it seems to work by fetching a new request without any headers to pass along the IP address.better-auth/src/nextjs/index.ts
Lines 43 to 50 in 5751ea8