@lenne.tech/nest-server 11.13.2 → 11.13.4

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@lenne.tech/nest-server",
-  "version": "11.13.2",
+  "version": "11.13.4",
   "description": "Modern, fast, powerful Node.js web framework in TypeScript based on Nest with a GraphQL API and a connection to MongoDB (or other databases).",
   "keywords": [
     "node",
@@ -54,10 +54,10 @@
     "prepack": "npm run prestart:prod",
     "prepublishOnly": "npm run lint && npm run test:ci",
     "preversion": "npm run lint",
-    "vitest": "NODE_ENV=local vitest run --config vitest-e2e.config.ts",
+    "vitest": "NODE_ENV=e2e vitest run --config vitest-e2e.config.ts",
     "vitest:ci": "NODE_ENV=ci vitest run --config vitest-e2e.config.ts",
-    "vitest:cov": "NODE_ENV=local vitest run --coverage --config vitest-e2e.config.ts",
-    "vitest:watch": "NODE_ENV=local vitest --config vitest-e2e.config.ts",
+    "vitest:cov": "NODE_ENV=e2e vitest run --coverage --config vitest-e2e.config.ts",
+    "vitest:watch": "NODE_ENV=e2e vitest --config vitest-e2e.config.ts",
     "vitest:unit": "vitest run --config vitest.config.ts",
     "test:unit:watch": "vitest --config vitest.config.ts",
     "test:types": "tsc --noEmit --skipLibCheck -p tests/types/tsconfig.json",

package/src/config.env.ts

@@ -11,6 +11,145 @@ import { IServerOptions } from './core/common/interfaces/server-options.interfac
  */
 dotenv.config();
 const config: { [env: string]: IServerOptions } = {
+  // ===========================================================================
+  // CI environment
+  // ===========================================================================
+  ci: {
+    auth: {
+      legacyEndpoints: { enabled: true },
+    },
+    automaticObjectIdFiltering: true,
+    betterAuth: {
+      // Email verification disabled for test environment (no real mailbox available)
+      emailVerification: false,
+      // JWT enabled by default (zero-config)
+      jwt: { enabled: true, expiresIn: '15m' },
+      // Passkey auto-activated when URLs can be resolved (env: 'local' → localhost defaults)
+      passkey: { enabled: true, origin: 'http://localhost:3001', rpId: 'localhost', rpName: 'Nest Server Local' },
+      rateLimit: { enabled: true, max: 100, windowSeconds: 60 },
+      secret: 'BETTER_AUTH_SECRET_LOCAL_32_CHARS_M',
+      // Social providers disabled in local environment (no credentials)
+      socialProviders: {
+        apple: { clientId: '', clientSecret: '', enabled: false },
+        github: { clientId: '', clientSecret: '', enabled: false },
+        google: { clientId: '', clientSecret: '', enabled: false },
+      },
+      // Trusted origins for Passkey (localhost defaults)
+      trustedOrigins: ['http://localhost:3000', 'http://localhost:3001'],
+      // 2FA enabled for local testing
+      twoFactor: { appName: 'Nest Server Local', enabled: true },
+    },
+    compression: true,
+    cookies: false,
+    cronJobs: {
+      sayHello: {
+        cronTime: CronExpression.EVERY_10_SECONDS,
+        disabled: false,
+        runOnInit: false,
+        runParallel: 1,
+        throwException: false,
+        timeZone: 'Europe/Berlin',
+      },
+    },
+    email: {
+      defaultSender: {
+        email: 'oren.satterfield@ethereal.email',
+        name: 'Nest Server Local',
+      },
+      mailjet: {
+        api_key_private: 'MAILJET_API_KEY_PRIVATE',
+        api_key_public: 'MAILJET_API_KEY_PUBLIC',
+      },
+      passwordResetLink: 'http://localhost:4200/user/password-reset',
+      smtp: {
+        auth: {
+          pass: 'K4DvD8U31VKseT7vQC',
+          user: 'oren.satterfield@ethereal.email',
+        },
+        host: 'mailhog.lenne.tech',
+        port: 1025,
+        secure: false,
+      },
+      verificationLink: 'http://localhost:4200/user/verification',
+    },
+    env: 'ci',
+    // Disable auto-registration to allow Server ErrorCodeModule with SRV_* codes
+    errorCode: {
+      autoRegister: false,
+    },
+    execAfterInit: 'npm run docs:bootstrap',
+    filter: {
+      maxLimit: null,
+    },
+    graphQl: {
+      driver: {
+        introspection: true,
+      },
+      maxComplexity: 1000,
+    },
+    healthCheck: {
+      configs: {
+        database: {
+          enabled: true,
+        },
+      },
+      enabled: true,
+    },
+    hostname: '127.0.0.1',
+    ignoreSelectionsForPopulate: true,
+    jwt: {
+      // Each secret should be unique and not reused in other environments,
+      // also the JWT secret should be different from the Refresh secret!
+      // crypto.randomBytes(512).toString('base64') (see https://nodejs.org/api/crypto.html#crypto)
+      refresh: {
+        renewal: true,
+        // Each secret should be unique and not reused in other environments,
+        // also the JWT secret should be different from the Refresh secret!
+        // crypto.randomBytes(512).toString('base64') (see https://nodejs.org/api/crypto.html#crypto)
+        secret: 'SECRET_OR_PRIVATE_KEY_LOCAL_REFRESH',
+        signInOptions: {
+          expiresIn: '7d',
+        },
+      },
+      sameTokenIdPeriod: 2000,
+      secret: 'SECRET_OR_PRIVATE_KEY_LOCAL',
+      signInOptions: {
+        expiresIn: '15m',
+      },
+    },
+    loadLocalConfig: true,
+    logExceptions: true,
+    mongoose: {
+      collation: {
+        locale: 'de',
+      },
+      modelDocumentation: true,
+      uri: 'mongodb://127.0.0.1/nest-server-ci',
+    },
+    port: 3000,
+    security: {
+      checkResponseInterceptor: {
+        checkObjectItself: false,
+        debug: false,
+        ignoreUndefined: true,
+        mergeRoles: true,
+        removeUndefinedFromResultArray: true,
+        throwError: false,
+      },
+      checkSecurityInterceptor: true,
+      mapAndValidatePipe: true,
+    },
+    sha256: true,
+    staticAssets: {
+      options: { prefix: '' },
+      path: join(__dirname, '..', 'public'),
+    },
+    templates: {
+      engine: 'ejs',
+      path: join(__dirname, 'templates'),
+    },
+  },
+
   // ===========================================================================
   // Development environment
   // ===========================================================================
@@ -117,9 +256,9 @@ const config: { [env: string]: IServerOptions } = {
   },
 
   // ===========================================================================
-  // Local environment (env: 'local' → auto URLs + Passkey)
+  // E2E environment
   // ===========================================================================
-  local: {
+  e2e: {
     auth: {
       legacyEndpoints: { enabled: true },
     },
@@ -177,6 +316,124 @@ const config: { [env: string]: IServerOptions } = {
       },
       verificationLink: 'http://localhost:4200/user/verification',
     },
+    env: 'e2e',
+    // Disable auto-registration to allow Server ErrorCodeModule with SRV_* codes
+    errorCode: {
+      autoRegister: false,
+    },
+    execAfterInit: 'npm run docs:bootstrap',
+    filter: {
+      maxLimit: null,
+    },
+    graphQl: {
+      driver: {
+        introspection: true,
+      },
+      maxComplexity: 1000,
+    },
+    healthCheck: {
+      configs: {
+        database: {
+          enabled: true,
+        },
+      },
+      enabled: true,
+    },
+    hostname: '127.0.0.1',
+    ignoreSelectionsForPopulate: true,
+    jwt: {
+      // Each secret should be unique and not reused in other environments,
+      // also the JWT secret should be different from the Refresh secret!
+      // crypto.randomBytes(512).toString('base64') (see https://nodejs.org/api/crypto.html#crypto)
+      refresh: {
+        renewal: true,
+        // Each secret should be unique and not reused in other environments,
+        // also the JWT secret should be different from the Refresh secret!
+        // crypto.randomBytes(512).toString('base64') (see https://nodejs.org/api/crypto.html#crypto)
+        secret: 'SECRET_OR_PRIVATE_KEY_LOCAL_REFRESH',
+        signInOptions: {
+          expiresIn: '7d',
+        },
+      },
+      sameTokenIdPeriod: 2000,
+      secret: 'SECRET_OR_PRIVATE_KEY_LOCAL',
+      signInOptions: {
+        expiresIn: '15m',
+      },
+    },
+    loadLocalConfig: true,
+    logExceptions: true,
+    mongoose: {
+      collation: {
+        locale: 'de',
+      },
+      modelDocumentation: true,
+      uri: 'mongodb://127.0.0.1/nest-server-e2e',
+    },
+    port: 3000,
+    security: {
+      checkResponseInterceptor: {
+        checkObjectItself: false,
+        debug: false,
+        ignoreUndefined: true,
+        mergeRoles: true,
+        removeUndefinedFromResultArray: true,
+        throwError: false,
+      },
+      checkSecurityInterceptor: true,
+      mapAndValidatePipe: true,
+    },
+    sha256: true,
+    staticAssets: {
+      options: { prefix: '' },
+      path: join(__dirname, '..', 'public'),
+    },
+    templates: {
+      engine: 'ejs',
+      path: join(__dirname, 'templates'),
+    },
+  },
+
+  // ===========================================================================
+  // Local environment (env: 'local' → auto URLs + Passkey)
+  // ===========================================================================
+  local: {
+    auth: {
+      legacyEndpoints: { enabled: true },
+    },
+    automaticObjectIdFiltering: true,
+    compression: true,
+    cronJobs: {
+      sayHello: {
+        cronTime: CronExpression.EVERY_10_SECONDS,
+        disabled: false,
+        runOnInit: false,
+        runParallel: 1,
+        throwException: false,
+        timeZone: 'Europe/Berlin',
+      },
+    },
+    email: {
+      defaultSender: {
+        email: 'oren.satterfield@ethereal.email',
+        name: 'Nest Server Local',
+      },
+      mailjet: {
+        api_key_private: 'MAILJET_API_KEY_PRIVATE',
+        api_key_public: 'MAILJET_API_KEY_PUBLIC',
+      },
+      passwordResetLink: 'http://localhost:4200/user/password-reset',
+      smtp: {
+        auth: {
+          pass: 'K4DvD8U31VKseT7vQC',
+          user: 'oren.satterfield@ethereal.email',
+        },
+        host: 'mailhog.lenne.tech',
+        port: 1025,
+        secure: false,
+      },
+      verificationLink: 'http://localhost:4200/user/verification',
+    },
     env: 'local',
     // Disable auto-registration to allow Server ErrorCodeModule with SRV_* codes
     errorCode: {

package/src/core/common/interfaces/server-options.interface.ts

@@ -524,6 +524,13 @@ export interface IBetterAuthRateLimit {
    */
   max?: number;
 
+  /**
+   * Maximum number of entries in the in-memory rate limit store.
+   * When exceeded, the oldest entries are evicted to prevent unbounded memory growth.
+   * @default 10000
+   */
+  maxEntries?: number;
+
   /**
    * Custom message when rate limit is exceeded
    * default: 'Too many requests, please try again later.'
@@ -1686,6 +1693,14 @@ interface IBetterAuthBase {
    * Set `enabled: false` to explicitly disable email/password auth.
    */
   emailAndPassword?: {
+    /**
+     * Disable user registration (sign-up) via BetterAuth.
+     * Passed through to better-auth's native emailAndPassword.disableSignUp.
+     * Custom endpoints (GraphQL + REST) also check this flag early.
+     * @default false
+     */
+    disableSignUp?: boolean;
+
     /**
      * Whether email/password authentication is enabled.
      * @default true
@@ -1986,10 +2001,7 @@ interface IBetterAuthBase {
  * };
  * ```
  */
-type IBetterAuthPasskeyDisabled =
-  | false
-  | (Omit<IBetterAuthPasskeyConfig, 'enabled'> & { enabled: false })
-  | undefined;
+type IBetterAuthPasskeyDisabled = false | (Omit<IBetterAuthPasskeyConfig, 'enabled'> & { enabled: false }) | undefined;
 
 /**
  * Passkey configuration that is considered "enabled".
@@ -1999,9 +2011,7 @@ type IBetterAuthPasskeyDisabled =
  * - `{ enabled: true, ... }` (explicit enabled)
  * - `{ rpName: 'My App', ... }` (config without explicit enabled = defaults to true)
  */
-type IBetterAuthPasskeyEnabled =
-  | (Omit<IBetterAuthPasskeyConfig, 'enabled'> & { enabled?: true })
-  | true;
+type IBetterAuthPasskeyEnabled = (Omit<IBetterAuthPasskeyConfig, 'enabled'> & { enabled?: true }) | true;
 
 /**
  * BetterAuth configuration WITHOUT Passkey (or Passkey disabled).

package/src/core/modules/better-auth/INTEGRATION-CHECKLIST.md

@@ -313,6 +313,12 @@ After integration, verify:
 - [ ] Passkey login redirects to dashboard after successful authentication
 - [ ] Passkey can be registered, listed, and deleted from security settings
 
+### Optional: Disable Sign-Up (`emailAndPassword.disableSignUp: true`)
+- [ ] REST `POST /iam/sign-up/email` returns `400` with error `LTNS_0026`
+- [ ] GraphQL `betterAuthSignUp` returns error `LTNS_0026`
+- [ ] `GET /iam/features` reports `signUpEnabled: false`
+- [ ] Sign-in still works for existing users
+
 ### Additional checks for Migration scenario:
 - [ ] Sign-in via Legacy Auth works for BetterAuth-created users
 - [ ] Sign-in via BetterAuth works for Legacy-created users

package/src/core/modules/better-auth/README.md

@@ -574,6 +574,32 @@ const config = {
 };
 ```
 
+### Disable Sign-Up
+
+Disable user registration while keeping sign-in active (e.g., invite-only apps, admin-created accounts):
+
+```typescript
+const config = {
+  betterAuth: {
+    emailAndPassword: {
+      disableSignUp: true, // Block new registrations (REST + GraphQL)
+    },
+  },
+};
+```
+
+When disabled:
+- REST `POST /iam/sign-up/email` returns `400 Bad Request` with error `LTNS_0026`
+- GraphQL `betterAuthSignUp` mutation returns error `LTNS_0026`
+- `betterAuthFeatures` reports `signUpEnabled: false`
+- Sign-in continues to work for existing users
+
+**Defense in Depth:** The flag is enforced at two layers:
+1. **Custom check** (`CoreBetterAuthService.ensureSignUpEnabled()`) runs in Controller/Resolver *before* any BetterAuth API call and returns a structured `LTNS_0026` error.
+2. **Native BetterAuth** `emailAndPassword.disableSignUp` acts as a safety net for any direct API access that bypasses the custom check.
+
+**Default:** `false` (sign-up enabled) - fully backward compatible.
+
 ### Additional User Fields
 
 Add custom fields to the Better-Auth user schema:
@@ -1049,6 +1075,7 @@ type CoreBetterAuthFeaturesModel {
   jwt: Boolean!
   twoFactor: Boolean!
   passkey: Boolean!
+  signUpEnabled: Boolean!
   socialProviders: [String!]!
 }
 ```
@@ -1100,6 +1127,7 @@ query {
     jwt
     twoFactor
     passkey
+    signUpEnabled
     socialProviders
   }
 }
@@ -1247,6 +1275,7 @@ export class MyService {
 | `isJwtEnabled()`                    | Check if JWT plugin is enabled               |
 | `isTwoFactorEnabled()`              | Check if 2FA is enabled                      |
 | `isPasskeyEnabled()`                | Check if Passkey is enabled                  |
+| `isSignUpEnabled()`                 | Check if sign-up is enabled                  |
 | `getEnabledSocialProviders()`       | Get list of enabled social providers         |
 | `getBasePath()`                     | Get the base path for endpoints              |
 | `getBaseUrl()`                      | Get the base URL                             |
@@ -1970,6 +1999,9 @@ These protected methods are available for use in your custom resolver:
 // Check if Better-Auth is enabled (throws if not)
 this.ensureEnabled();
 
+// Check if sign-up is enabled (throws if not) - delegated to service
+this.betterAuthService.ensureSignUpEnabled();
+
 // Convert Express headers to Web API Headers
 const headers = this.convertHeaders(ctx.req.headers);
 

package/src/core/modules/better-auth/better-auth.config.ts

@@ -14,6 +14,21 @@ import { IBetterAuth } from '../../common/interfaces/server-options.interface';
  */
 export type BetterAuthInstance = ReturnType<typeof betterAuth>;
 
+// ---------------------------------------------------------------------------
+// Performance-optimized password hashing using Node.js native crypto.scrypt
+//
+// Better-Auth's default uses @noble/hashes scrypt which runs on the main
+// event loop. Under concurrent load this blocks all requests while hashing.
+// Node.js crypto.scrypt() offloads the work to the libuv thread pool,
+// allowing the event loop to remain responsive.
+//
+// Parameters match Better-Auth's defaults exactly:
+//   N=16384, r=16, p=1, dkLen=64, 16-byte salt
+// ---------------------------------------------------------------------------
+
+const SCRYPT_PARAMS = { maxmem: 128 * 16384 * 16 * 2, N: 16384, p: 1, r: 16 };
+const SCRYPT_KEY_LENGTH = 64;
+
 /**
  * Generates a cryptographically secure random secret.
  * Used as fallback when no BETTER_AUTH_SECRET is configured.
@@ -27,6 +42,38 @@ function generateSecureSecret(): string {
   return crypto.randomBytes(32).toString('base64');
 }
 
+/**
+ * Hash a password using Node.js native crypto.scrypt (libuv thread pool).
+ * Output format matches Better-Auth: "salt:hash" (both hex encoded).
+ */
+async function nativeScryptHash(password: string): Promise<string> {
+  const salt = crypto.randomBytes(16).toString('hex');
+  const normalized = password.normalize('NFKC');
+  const key = await new Promise<Buffer>((resolve, reject) => {
+    crypto.scrypt(normalized, salt, SCRYPT_KEY_LENGTH, SCRYPT_PARAMS, (err, derivedKey) => {
+      if (err) reject(err);
+      else resolve(derivedKey);
+    });
+  });
+  return `${salt}:${key.toString('hex')}`;
+}
+
+/**
+ * Verify a password against a Better-Auth scrypt hash using Node.js native crypto.scrypt.
+ */
+async function nativeScryptVerify(data: { hash: string; password: string }): Promise<boolean> {
+  const [salt, storedKey] = data.hash.split(':');
+  if (!salt || !storedKey) return false;
+  const normalized = data.password.normalize('NFKC');
+  const key = await new Promise<Buffer>((resolve, reject) => {
+    crypto.scrypt(normalized, salt, SCRYPT_KEY_LENGTH, SCRYPT_PARAMS, (err, derivedKey) => {
+      if (err) reject(err);
+      else resolve(derivedKey);
+    });
+  });
+  return crypto.timingSafeEqual(key, Buffer.from(storedKey, 'hex'));
+}
+
 /**
  * Cached auto-generated secret for the current server instance.
  * Generated once at a module load to ensure consistency within a single run.
@@ -267,7 +314,17 @@ export function createBetterAuthInstance(options: CreateBetterAuthOptions): Bett
     // Enable email/password authentication by default (required by Better-Auth 1.x)
     // Can be disabled by setting config.emailAndPassword.enabled = false
     emailAndPassword: {
+      // Defense in Depth: This native Better-Auth flag is the second layer.
+      // The first layer is CoreBetterAuthService.ensureSignUpEnabled() which
+      // runs in Controller/Resolver BEFORE the BetterAuth API is called and
+      // returns a structured LTNS_0026 error. The native flag acts as a safety
+      // net in case the custom check is bypassed (e.g., direct API calls).
+      disableSignUp: config.emailAndPassword?.disableSignUp === true,
       enabled: config.emailAndPassword?.enabled !== false,
+      password: {
+        hash: nativeScryptHash,
+        verify: nativeScryptVerify,
+      },
     },
     plugins,
     secret: validation.resolvedSecret || config.secret,
@@ -375,7 +432,7 @@ function buildEmailVerificationConfig(
       _request?: Request,
     ) => {
       // Don't await to prevent timing attacks (as recommended by Better-Auth docs)
-       
+
       sendVerificationEmail(data);
     };
   }
@@ -867,7 +924,11 @@ function normalizePasskeyConfig(
   // Resolve values: explicit config > resolved URLs
   const finalRpId = rawConfig.rpId || resolvedUrls.rpId;
   const finalOrigin = rawConfig.origin || resolvedUrls.appUrl;
-  const finalTrustedOrigins = config.trustedOrigins?.length ? config.trustedOrigins : resolvedUrls.appUrl ? [resolvedUrls.appUrl] : undefined;
+  const finalTrustedOrigins = config.trustedOrigins?.length
+    ? config.trustedOrigins
+    : resolvedUrls.appUrl
+      ? [resolvedUrls.appUrl]
+      : undefined;
 
   // Check if we have all required values for Passkey
   const hasRequiredConfig = finalRpId && finalOrigin && finalTrustedOrigins?.length;

package/src/core/modules/better-auth/core-better-auth-email-verification.service.ts

@@ -409,11 +409,27 @@ export class CoreBetterAuthEmailVerificationService {
     return elapsed < cooldown;
   }
 
+  /**
+   * Maximum entries in the lastSendTimes map to prevent unbounded growth.
+   * At 10,000 entries with email strings as keys, this uses ~1-2 MB max.
+   */
+  private static readonly MAX_SEND_TIMES_ENTRIES = 10000;
+
   /**
    * Track that a verification email was sent to this address
    */
   protected trackSend(email: string): void {
     const key = email.toLowerCase();
+
+    // Evict oldest entry if map is at capacity (before adding new one)
+    if (!this.lastSendTimes.has(key) && this.lastSendTimes.size >= CoreBetterAuthEmailVerificationService.MAX_SEND_TIMES_ENTRIES) {
+      // Map preserves insertion order - first key is the oldest
+      const oldestKey = this.lastSendTimes.keys().next().value;
+      if (oldestKey) {
+        this.lastSendTimes.delete(oldestKey);
+      }
+    }
+
     this.lastSendTimes.set(key, Date.now());
 
     // Schedule cleanup to prevent memory leak

package/src/core/modules/better-auth/core-better-auth-models.ts

@@ -135,6 +135,9 @@ export class CoreBetterAuthFeaturesModel {
   @Field(() => Boolean, { description: 'Whether Passkey is enabled' })
   passkey: boolean;
 
+  @Field(() => Boolean, { description: 'Whether sign-up is enabled' })
+  signUpEnabled: boolean;
+
   @Field(() => [String], { description: 'List of enabled social providers' })
   socialProviders: string[];
 

package/src/core/modules/better-auth/core-better-auth-rate-limiter.service.ts

@@ -46,6 +46,7 @@ interface RateLimitEntry {
 const DEFAULT_CONFIG: Required<IBetterAuthRateLimit> = {
   enabled: false,
   max: 10,
+  maxEntries: 10000,
   message: 'Too many requests, please try again later.',
   skipEndpoints: ['/session', '/callback'],
   strictEndpoints: ['/sign-in', '/sign-up', '/forgot-password', '/reset-password'],
@@ -143,6 +144,11 @@ export class CoreBetterAuthRateLimiter {
     let entry = this.store.get(key);
 
     if (!entry || now >= entry.resetTime) {
+      // Evict oldest entries if store exceeds maxEntries
+      if (!entry && this.store.size >= this.config.maxEntries) {
+        this.evictOldest();
+      }
+
       // Create new entry or reset expired one
       entry = {
         count: 1,
@@ -234,6 +240,40 @@ export class CoreBetterAuthRateLimiter {
     }
   }
 
+  /**
+   * Evict the oldest entries when the store exceeds maxEntries.
+   * First removes all expired entries, then removes entries closest to expiry
+   * until the store is at 90% capacity.
+   */
+  private evictOldest(): void {
+    const now = Date.now();
+    let evicted = 0;
+
+    // First pass: remove all expired entries
+    for (const [key, entry] of this.store.entries()) {
+      if (now >= entry.resetTime) {
+        this.store.delete(key);
+        evicted++;
+      }
+    }
+
+    // If still over limit, remove entries with earliest resetTime (oldest)
+    if (this.store.size >= this.config.maxEntries) {
+      const targetSize = Math.floor(this.config.maxEntries * 0.9);
+      const entries = [...this.store.entries()].sort((a, b) => a[1].resetTime - b[1].resetTime);
+
+      for (const [key] of entries) {
+        if (this.store.size <= targetSize) break;
+        this.store.delete(key);
+        evicted++;
+      }
+    }
+
+    if (evicted > 0) {
+      this.logger.warn(`Evicted ${evicted} rate limit entries (store was at capacity: ${this.config.maxEntries})`);
+    }
+  }
+
   /**
    * Determine if an endpoint should skip rate limiting
    */