Summary
CodeQL flags js/missing-rate-limiting (High) on authenticated admin routes that already use our custom Redis-backed rate limiter. This blocks otherwise correct admin PRs in CI.
Affected PRs
Example (#690)
router.patch('/settings', adminRateLimitMiddleware, adminAuthMiddleware, json(), ...)
router.post('/settings/validate', adminRateLimitMiddleware, adminAuthMiddleware, ...)
Both routes include adminRateLimitMiddleware before auth. CodeQL still reports missing rate limiting.
Proposed fix
CodeQL config to recognize adminRateLimitMiddleware as a rate limiter
Summary
CodeQL flags
js/missing-rate-limiting(High) on authenticated admin routes that already use our custom Redis-backed rate limiter. This blocks otherwise correct admin PRs in CI.Affected PRs
/login,/session,/health) — merged; same pattern/admin/metricsSSE — merged; same patternPATCH /admin/settings,POST /admin/settings/validate) — currently failing CIExample (#690)
Both routes include adminRateLimitMiddleware before auth. CodeQL still reports missing rate limiting.
Proposed fix
CodeQL config to recognize adminRateLimitMiddleware as a rate limiter