api/src/app/plugins/rate-limit.ts

@@ -12,8 +12,27 @@ import { AuditAction, AuditCategory } from "@library/shared-types";
 
 const rateLimitPlugin: FastifyPluginAsync = async (app) => {
   await app.register(fastifyRateLimit, {
-    max: 100,
+    max: async (request) => {
+      // Try to get user from JWT
+      try {
+        await request.jwtVerify();
+        // Authenticated users get higher limits
+        return 500;
+      } catch {
+        // Unauthenticated users get lower limits
+        return 100;
+      }
+    },
     timeWindow: "1 minute",
+    allowList: async (request) => {
+      // Bypass rate limiting entirely for admin users
+      try {
+        await request.jwtVerify();
+        return request.user?.isAdmin === true;
+      } catch {
+        return false;
+      }
+    },
     errorResponseBuilder: (request) => {
       // Log rate limit exceeded event
       AuditService.log({