From 91208e44a1167cbbdea361db26c19fc3305ca917 Mon Sep 17 00:00:00 2001
From: Ahmet Kilinc <akx9@icloud.com>
Date: Sat, 20 Dec 2025 14:06:02 +0000
Subject: [PATCH] rate limit and auth checks

---
 actions/repositories.ts            |   4 +-
 app/(main)/new/form.tsx            | 169 ++++++++++++++++++++++++
 app/(main)/new/page.tsx            | 203 ++---------------------------
 app/api/avatar/[filename]/route.ts |   9 ++
 app/api/file/[...path]/route.ts    |  21 ++-
 app/api/git/[...path]/route.ts     |  87 +++++--------
 lib/api-auth.ts                    |  69 ++++++++++
 lib/r2-fs.ts                       |   2 +
 lib/rate-limit.ts                  |  96 ++++++++++++++
 9 files changed, 403 insertions(+), 257 deletions(-)
 create mode 100644 app/(main)/new/form.tsx
 create mode 100644 lib/api-auth.ts
 create mode 100644 lib/rate-limit.ts

diff --git a/actions/repositories.ts b/actions/repositories.ts
index 918a84f..182da4d 100644
--- a/actions/repositories.ts
+++ b/actions/repositories.ts
@@ -816,7 +816,9 @@ export async function getPublicUsers(sortBy: "newest" | "oldest" = "newest", lim
       avatarUrl: users.avatarUrl,
       bio: users.bio,
       createdAt: users.createdAt,
-      repoCount: sql<number>`(SELECT COUNT(*) FROM repositories WHERE repositories.owner_id = users.id AND repositories.visibility = 'public')`.as("repo_count"),
+      repoCount: sql<number>`(SELECT COUNT(*) FROM repositories WHERE repositories.owner_id = users.id AND repositories.visibility = 'public')`.as(
+        "repo_count"
+      ),
     })
     .from(users)
     .orderBy(sortBy === "newest" ? desc(users.createdAt) : users.createdAt)
diff --git a/app/(main)/new/form.tsx b/app/(main)/new/form.tsx
new file mode 100644
index 0000000..abdf34d
--- /dev/null
+++ b/app/(main)/new/form.tsx
@@ -0,0 +1,169 @@
+"use client";
+
+import { useState } from "react";
+import { useRouter } from "next/navigation";
+import { createRepository } from "@/actions/repositories";
+import { Button } from "@/components/ui/button";
+import { Input } from "@/components/ui/input";
+import { Label } from "@/components/ui/label";
+import { Textarea } from "@/components/ui/textarea";
+import { toast } from "sonner";
+import { Loader2, Lock, Globe } from "lucide-react";
+import Link from "next/link";
+
+export function NewRepoForm({ username }: { username: string }) {
+  const router = useRouter();
+  const [loading, setLoading] = useState(false);
+  const [formData, setFormData] = useState({
+    name: "",
+    description: "",
+    visibility: "public" as "public" | "private",
+  });
+
+  async function handleSubmit(e: React.FormEvent) {
+    e.preventDefault();
+    setLoading(true);
+
+    try {
+      await createRepository({
+        name: formData.name,
+        description: formData.description || undefined,
+        visibility: formData.visibility,
+      });
+
+      toast.success("Repository created!");
+      router.push(`/${username}/${formData.name.toLowerCase().replace(/\s+/g, "-")}`);
+    } catch (err) {
+      toast.error(err instanceof Error ? err.message : "Failed to create repository");
+    } finally {
+      setLoading(false);
+    }
+  }
+
+  return (
+    <div className="container max-w-2xl! py-8">
+      <div className="mb-8">
+        <h1 className="text-2xl font-bold mb-2">Create a new repository</h1>
+        <p className="text-muted-foreground">A repository contains all project files, including the revision history.</p>
+      </div>
+
+      <form onSubmit={handleSubmit} className="space-y-8">
+        <div className="rounded-xl border border-border bg-card p-6 space-y-6">
+          <div className="space-y-3">
+            <Label htmlFor="name" className="text-sm font-medium">
+              Repository name <span className="text-destructive">*</span>
+            </Label>
+            <div className="flex items-center gap-3">
+              <span className="text-muted-foreground font-medium">{username}</span>
+              <span className="text-muted-foreground">/</span>
+              <Input
+                id="name"
+                value={formData.name}
+                onChange={(e) => setFormData({ ...formData, name: e.target.value })}
+                placeholder="my-awesome-project"
+                required
+                pattern="^[a-zA-Z0-9_.-]+$"
+                className="flex-1 bg-input/50"
+              />
+            </div>
+            <p className="text-xs text-muted-foreground">Great repository names are short and memorable.</p>
+          </div>
+
+          <div className="space-y-3">
+            <Label htmlFor="description" className="text-sm font-medium">
+              Description <span className="text-muted-foreground">(optional)</span>
+            </Label>
+            <Textarea
+              id="description"
+              value={formData.description}
+              onChange={(e) => setFormData({ ...formData, description: e.target.value })}
+              placeholder="A short description of your project"
+              rows={3}
+              className="bg-input/50 resize-none"
+            />
+          </div>
+        </div>
+
+        <div className="rounded-xl border border-border bg-card p-6 space-y-4">
+          <Label className="text-sm font-medium">Visibility</Label>
+          <div className="space-y-3">
+            <label
+              className={`flex items-start gap-4 p-4 rounded-lg border-2 cursor-pointer transition-all ${
+                formData.visibility === "public" ? "border-primary bg-primary/5" : "border-transparent bg-input/30 hover:bg-input/50"
+              }`}
+            >
+              <div
+                className={`mt-0.5 w-5 h-5 rounded-full border-2 flex items-center justify-center transition-colors ${
+                  formData.visibility === "public" ? "border-primary" : "border-muted-foreground"
+                }`}
+              >
+                {formData.visibility === "public" && <div className="w-2.5 h-2.5 rounded-full bg-primary" />}
+              </div>
+              <input
+                type="radio"
+                name="visibility"
+                value="public"
+                checked={formData.visibility === "public"}
+                onChange={() => setFormData({ ...formData, visibility: "public" })}
+                className="sr-only"
+              />
+              <div className="flex-1">
+                <div className="flex items-center gap-2 font-medium">
+                  <Globe className="h-4 w-4 text-muted-foreground" />
+                  Public
+                </div>
+                <p className="text-sm text-muted-foreground mt-1">Anyone on the internet can see this repository.</p>
+              </div>
+            </label>
+
+            <label
+              className={`flex items-start gap-4 p-4 rounded-lg border-2 cursor-pointer transition-all ${
+                formData.visibility === "private" ? "border-primary bg-primary/5" : "border-transparent bg-input/30 hover:bg-input/50"
+              }`}
+            >
+              <div
+                className={`mt-0.5 w-5 h-5 rounded-full border-2 flex items-center justify-center transition-colors ${
+                  formData.visibility === "private" ? "border-primary" : "border-muted-foreground"
+                }`}
+              >
+                {formData.visibility === "private" && <div className="w-2.5 h-2.5 rounded-full bg-primary" />}
+              </div>
+              <input
+                type="radio"
+                name="visibility"
+                value="private"
+                checked={formData.visibility === "private"}
+                onChange={() => setFormData({ ...formData, visibility: "private" })}
+                className="sr-only"
+              />
+              <div className="flex-1">
+                <div className="flex items-center gap-2 font-medium">
+                  <Lock className="h-4 w-4 text-muted-foreground" />
+                  Private
+                </div>
+                <p className="text-sm text-muted-foreground mt-1">You choose who can see and commit to this repository.</p>
+              </div>
+            </label>
+          </div>
+        </div>
+
+        <div className="flex items-center justify-end gap-4 pt-4">
+          <Button type="button" variant="ghost" asChild>
+            <Link href="/">Cancel</Link>
+          </Button>
+          <Button type="submit" disabled={loading || !formData.name} className="min-w-[160px]">
+            {loading ? (
+              <>
+                <Loader2 className="mr-2 h-4 w-4 animate-spin" />
+                Creating...
+              </>
+            ) : (
+              "Create repository"
+            )}
+          </Button>
+        </div>
+      </form>
+    </div>
+  );
+}
+
diff --git a/app/(main)/new/page.tsx b/app/(main)/new/page.tsx
index 208541c..0a1473e 100644
--- a/app/(main)/new/page.tsx
+++ b/app/(main)/new/page.tsx
@@ -1,202 +1,15 @@
-"use client";
+import { redirect } from "next/navigation";
+import { getSession } from "@/lib/session";
+import { NewRepoForm } from "./form";
 
-import { useState } from "react";
-import { useRouter } from "next/navigation";
-import { createRepository } from "@/actions/repositories";
-import { useSession } from "@/lib/auth-client";
-import { Button } from "@/components/ui/button";
-import { Input } from "@/components/ui/input";
-import { Label } from "@/components/ui/label";
-import { Textarea } from "@/components/ui/textarea";
-import { toast } from "sonner";
-import { Loader2, Lock, Globe, BookMarked } from "lucide-react";
-import Link from "next/link";
-
-export default function NewRepoPage() {
-  const router = useRouter();
-  const { data: session, isPending } = useSession();
-  const [loading, setLoading] = useState(false);
-  const [formData, setFormData] = useState({
-    name: "",
-    description: "",
-    visibility: "public" as "public" | "private",
-  });
-
-  const username = (session?.user as { username?: string } | undefined)?.username || "";
-
-  async function handleSubmit(e: React.FormEvent) {
-    e.preventDefault();
-    if (!session?.user) {
-      toast.error("You must be logged in");
-      return;
-    }
-
-    setLoading(true);
-
-    try {
-      await createRepository({
-        name: formData.name,
-        description: formData.description || undefined,
-        visibility: formData.visibility,
-      });
-
-      toast.success("Repository created!");
-      router.push(`/${username}/${formData.name.toLowerCase().replace(/\s+/g, "-")}`);
-    } catch (err) {
-      toast.error(err instanceof Error ? err.message : "Failed to create repository");
-    } finally {
-      setLoading(false);
-    }
-  }
-
-  if (isPending) {
-    return (
-      <div className="container max-w-2xl py-16">
-        <div className="flex items-center justify-center">
-          <Loader2 className="h-8 w-8 animate-spin text-muted-foreground" />
-        </div>
-      </div>
-    );
-  }
+export default async function NewRepoPage() {
+  const session = await getSession();
 
   if (!session?.user) {
-    return (
-      <div className="container max-w-2xl py-16">
-        <div className="rounded-xl border border-border bg-card p-12 text-center">
-          <BookMarked className="h-12 w-12 mx-auto mb-4 text-muted-foreground" />
-          <h2 className="text-xl font-semibold mb-2">Sign in required</h2>
-          <p className="text-muted-foreground mb-6">Please sign in to create a repository</p>
-          <Button asChild>
-            <Link href="/login">Sign in</Link>
-          </Button>
-        </div>
-      </div>
-    );
+    redirect("/login");
   }
 
-  return (
-    <div className="container max-w-2xl! py-8">
-      <div className="mb-8">
-        <h1 className="text-2xl font-bold mb-2">Create a new repository</h1>
-        <p className="text-muted-foreground">A repository contains all project files, including the revision history.</p>
-      </div>
+  const username = (session.user as { username?: string }).username || "";
 
-      <form onSubmit={handleSubmit} className="space-y-8">
-        <div className="rounded-xl border border-border bg-card p-6 space-y-6">
-          <div className="space-y-3">
-            <Label htmlFor="name" className="text-sm font-medium">
-              Repository name <span className="text-destructive">*</span>
-            </Label>
-            <div className="flex items-center gap-3">
-              <span className="text-muted-foreground font-medium">{username}</span>
-              <span className="text-muted-foreground">/</span>
-              <Input
-                id="name"
-                value={formData.name}
-                onChange={(e) => setFormData({ ...formData, name: e.target.value })}
-                placeholder="my-awesome-project"
-                required
-                pattern="^[a-zA-Z0-9_.-]+$"
-                className="flex-1 bg-input/50"
-              />
-            </div>
-            <p className="text-xs text-muted-foreground">Great repository names are short and memorable.</p>
-          </div>
-
-          <div className="space-y-3">
-            <Label htmlFor="description" className="text-sm font-medium">
-              Description <span className="text-muted-foreground">(optional)</span>
-            </Label>
-            <Textarea
-              id="description"
-              value={formData.description}
-              onChange={(e) => setFormData({ ...formData, description: e.target.value })}
-              placeholder="A short description of your project"
-              rows={3}
-              className="bg-input/50 resize-none"
-            />
-          </div>
-        </div>
-
-        <div className="rounded-xl border border-border bg-card p-6 space-y-4">
-          <Label className="text-sm font-medium">Visibility</Label>
-          <div className="space-y-3">
-            <label
-              className={`flex items-start gap-4 p-4 rounded-lg border-2 cursor-pointer transition-all ${
-                formData.visibility === "public" ? "border-primary bg-primary/5" : "border-transparent bg-input/30 hover:bg-input/50"
-              }`}
-            >
-              <div
-                className={`mt-0.5 w-5 h-5 rounded-full border-2 flex items-center justify-center transition-colors ${
-                  formData.visibility === "public" ? "border-primary" : "border-muted-foreground"
-                }`}
-              >
-                {formData.visibility === "public" && <div className="w-2.5 h-2.5 rounded-full bg-primary" />}
-              </div>
-              <input
-                type="radio"
-                name="visibility"
-                value="public"
-                checked={formData.visibility === "public"}
-                onChange={() => setFormData({ ...formData, visibility: "public" })}
-                className="sr-only"
-              />
-              <div className="flex-1">
-                <div className="flex items-center gap-2 font-medium">
-                  <Globe className="h-4 w-4 text-muted-foreground" />
-                  Public
-                </div>
-                <p className="text-sm text-muted-foreground mt-1">Anyone on the internet can see this repository.</p>
-              </div>
-            </label>
-
-            <label
-              className={`flex items-start gap-4 p-4 rounded-lg border-2 cursor-pointer transition-all ${
-                formData.visibility === "private" ? "border-primary bg-primary/5" : "border-transparent bg-input/30 hover:bg-input/50"
-              }`}
-            >
-              <div
-                className={`mt-0.5 w-5 h-5 rounded-full border-2 flex items-center justify-center transition-colors ${
-                  formData.visibility === "private" ? "border-primary" : "border-muted-foreground"
-                }`}
-              >
-                {formData.visibility === "private" && <div className="w-2.5 h-2.5 rounded-full bg-primary" />}
-              </div>
-              <input
-                type="radio"
-                name="visibility"
-                value="private"
-                checked={formData.visibility === "private"}
-                onChange={() => setFormData({ ...formData, visibility: "private" })}
-                className="sr-only"
-              />
-              <div className="flex-1">
-                <div className="flex items-center gap-2 font-medium">
-                  <Lock className="h-4 w-4 text-muted-foreground" />
-                  Private
-                </div>
-                <p className="text-sm text-muted-foreground mt-1">You choose who can see and commit to this repository.</p>
-              </div>
-            </label>
-          </div>
-        </div>
-
-        <div className="flex items-center justify-end gap-4 pt-4">
-          <Button type="button" variant="ghost" asChild>
-            <Link href="/">Cancel</Link>
-          </Button>
-          <Button type="submit" disabled={loading || !formData.name} className="min-w-[160px]">
-            {loading ? (
-              <>
-                <Loader2 className="mr-2 h-4 w-4 animate-spin" />
-                Creating...
-              </>
-            ) : (
-              "Create repository"
-            )}
-          </Button>
-        </div>
-      </form>
-    </div>
-  );
+  return <NewRepoForm username={username} />;
 }
diff --git a/app/api/avatar/[filename]/route.ts b/app/api/avatar/[filename]/route.ts
index c63ea2f..77ecc0b 100644
--- a/app/api/avatar/[filename]/route.ts
+++ b/app/api/avatar/[filename]/route.ts
@@ -1,7 +1,16 @@
 import { NextRequest, NextResponse } from "next/server";
 import { r2Get } from "@/lib/r2";
+import { rateLimit } from "@/lib/rate-limit";
 
 export async function GET(request: NextRequest, { params }: { params: Promise<{ filename: string }> }) {
+  const rateLimitResult = rateLimit(request, "avatar", { limit: 200, windowMs: 60000 });
+  if (!rateLimitResult.success) {
+    return new NextResponse("Too Many Requests", {
+      status: 429,
+      headers: { "Retry-After": Math.ceil((rateLimitResult.resetAt - Date.now()) / 1000).toString() },
+    });
+  }
+
   const { filename } = await params;
 
   const key = `avatars/${filename}`;
diff --git a/app/api/file/[...path]/route.ts b/app/api/file/[...path]/route.ts
index 9d44511..7836deb 100644
--- a/app/api/file/[...path]/route.ts
+++ b/app/api/file/[...path]/route.ts
@@ -2,13 +2,22 @@ import { NextRequest, NextResponse } from "next/server";
 import { db } from "@/db";
 import { users, repositories } from "@/db/schema";
 import { eq, and } from "drizzle-orm";
-import { getSession } from "@/lib/session";
 import git from "isomorphic-git";
 import { createR2Fs, getRepoPrefix } from "@/lib/r2-fs";
+import { rateLimit } from "@/lib/rate-limit";
+import { authenticateRequest } from "@/lib/api-auth";
 
 const CHUNK_SIZE = 64 * 1024;
 
 export async function GET(request: NextRequest, { params }: { params: Promise<{ path: string[] }> }) {
+  const rateLimitResult = rateLimit(request, "file", { limit: 120, windowMs: 60000 });
+  if (!rateLimitResult.success) {
+    return new NextResponse("Too Many Requests", {
+      status: 429,
+      headers: { "Retry-After": Math.ceil((rateLimitResult.resetAt - Date.now()) / 1000).toString() },
+    });
+  }
+
   const { path } = await params;
 
   if (path.length < 4) {
@@ -35,9 +44,12 @@ export async function GET(request: NextRequest, { params }: { params: Promise<{
   }
 
   if (repo.visibility === "private") {
-    const session = await getSession();
-    if (!session?.user || session.user.id !== repo.ownerId) {
-      return NextResponse.json({ error: "Unauthorized" }, { status: 403 });
+    const authenticatedUser = await authenticateRequest(request);
+    if (!authenticatedUser || authenticatedUser.id !== repo.ownerId) {
+      return new NextResponse("Unauthorized", {
+        status: 401,
+        headers: { "WWW-Authenticate": 'Basic realm="gitbruv"' },
+      });
     }
   }
 
@@ -132,4 +144,3 @@ export async function GET(request: NextRequest, { params }: { params: Promise<{
     return NextResponse.json({ error: "Internal server error" }, { status: 500 });
   }
 }
-
diff --git a/app/api/git/[...path]/route.ts b/app/api/git/[...path]/route.ts
index c4c319e..d34eede 100644
--- a/app/api/git/[...path]/route.ts
+++ b/app/api/git/[...path]/route.ts
@@ -3,34 +3,11 @@ import { db } from "@/db";
 import { users, repositories } from "@/db/schema";
 import { eq, and } from "drizzle-orm";
 import git from "isomorphic-git";
-import { createR2Fs, getRepoPrefix } from "@/lib/r2-fs";
+import { createR2Fs, getRepoPrefix, R2Fs } from "@/lib/r2-fs";
 import { revalidateTag } from "next/cache";
-import { auth } from "@/lib/auth";
-
-async function authenticateUser(authHeader: string | null): Promise<{ id: string; username: string } | null> {
-  if (!authHeader?.startsWith("Basic ")) return null;
-
-  const credentials = Buffer.from(authHeader.split(" ")[1], "base64").toString("utf-8");
-  const [email, password] = credentials.split(":");
-  if (!email || !password) return null;
-
-  try {
-    const result = await auth.api.signInEmail({
-      body: { email, password },
-      asResponse: false,
-    });
-
-    if (!result?.user) return null;
-
-    const user = await db.query.users.findFirst({
-      where: eq(users.email, email),
-    });
-
-    return user ? { id: user.id, username: user.username } : null;
-  } catch {
-    return null;
-  }
-}
+import { rateLimit } from "@/lib/rate-limit";
+import { authenticateRequest } from "@/lib/api-auth";
+import { createHash } from "crypto";
 
 function parseGitPath(pathSegments: string[]): { username: string; repoName: string; action: string | null } | null {
   if (pathSegments.length < 2) return null;
@@ -56,7 +33,7 @@ function parseGitPath(pathSegments: string[]): { username: string; repoName: str
   return { username, repoName, action };
 }
 
-async function getRefsAdvertisement(fs: any, gitdir: string, service: string): Promise<Buffer> {
+async function getRefsAdvertisement(fs: R2Fs, gitdir: string, service: string): Promise<Buffer> {
   const capabilities =
     service === "git-upload-pack"
       ? [
@@ -124,16 +101,13 @@ async function getRefsAdvertisement(fs: any, gitdir: string, service: string): P
   return Buffer.concat(packets);
 }
 
-async function handleUploadPack(fs: any, gitdir: string, body: Buffer): Promise<Buffer> {
+async function handleUploadPack(fs: R2Fs, gitdir: string, body: Buffer): Promise<Buffer> {
   const lines = parsePktLines(body);
   const wants: string[] = [];
-  const haves: string[] = [];
 
   for (const line of lines) {
     if (line.startsWith("want ")) {
       wants.push(line.slice(5, 45));
-    } else if (line.startsWith("have ")) {
-      haves.push(line.slice(5, 45));
     }
   }
 
@@ -159,23 +133,17 @@ async function handleUploadPack(fs: any, gitdir: string, body: Buffer): Promise<
   }
 }
 
-async function handleReceivePack(fs: any, gitdir: string, body: Buffer): Promise<Buffer> {
-  console.log("[ReceivePack] Starting, body length:", body.length);
-
+async function handleReceivePack(fs: R2Fs, gitdir: string, body: Buffer): Promise<Buffer> {
   const packStart = body.indexOf(Buffer.from("PACK"));
-  console.log("[ReceivePack] PACK header at:", packStart);
 
   if (packStart === -1) {
-    console.log("[ReceivePack] No PACK header found");
     return Buffer.from("000eunpack ok\n0000");
   }
 
   const commandSection = body.slice(0, packStart);
   const packData = body.slice(packStart);
-  console.log("[ReceivePack] Command section length:", commandSection.length, "Pack data length:", packData.length);
 
   const lines = parsePktLines(commandSection);
-  console.log("[ReceivePack] Parsed lines:", lines);
 
   const updates: { oldOid: string; newOid: string; ref: string }[] = [];
 
@@ -185,35 +153,27 @@ async function handleReceivePack(fs: any, gitdir: string, body: Buffer): Promise
       updates.push({ oldOid: match[1], newOid: match[2], ref: match[3].replace("\0", "").split(" ")[0] });
     }
   }
-  console.log("[ReceivePack] Updates:", updates);
 
   try {
-    console.log("[ReceivePack] Creating directories...");
-    await fs.promises.mkdir("/objects", { recursive: true }).catch(() => {});
-    await fs.promises.mkdir("/objects/pack", { recursive: true }).catch(() => {});
+    await fs.promises.mkdir("/objects").catch(() => {});
+    await fs.promises.mkdir("/objects/pack").catch(() => {});
 
-    const packHash = require("crypto").createHash("sha1").update(packData).digest("hex");
+    const packHash = createHash("sha1").update(packData).digest("hex");
     const packFileName = `pack-${packHash}`;
     const packPath = `/objects/pack/${packFileName}.pack`;
-    const idxPath = `/objects/pack/${packFileName}.idx`;
 
-    console.log("[ReceivePack] Writing pack file:", packPath);
     await fs.promises.writeFile(packPath, packData);
 
-    console.log("[ReceivePack] Calling indexPack...");
-    const result = await git.indexPack({ fs, dir: "/", gitdir: "/", filepath: `objects/pack/${packFileName}.pack` });
-    console.log("[ReceivePack] indexPack result, oids:", result.oids?.length);
+    await git.indexPack({ fs, dir: "/", gitdir: "/", filepath: `objects/pack/${packFileName}.pack` });
 
-    console.log("[ReceivePack] Writing refs...");
     for (const update of updates) {
       const refPath = update.ref.startsWith("refs/") ? update.ref : `refs/heads/${update.ref}`;
-      console.log("[ReceivePack] Writing ref:", refPath, "->", update.newOid);
 
       if (update.newOid === "0".repeat(40)) {
         await fs.promises.unlink(`/${refPath}`).catch(() => {});
       } else {
         const refDir = "/" + refPath.split("/").slice(0, -1).join("/");
-        await fs.promises.mkdir(refDir, { recursive: true }).catch(() => {});
+        await fs.promises.mkdir(refDir).catch(() => {});
         await fs.promises.writeFile(`/${refPath}`, update.newOid + "\n");
       }
     }
@@ -231,7 +191,6 @@ async function handleReceivePack(fs: any, gitdir: string, body: Buffer): Promise
     }
     responseStr += "0000";
 
-    console.log("[ReceivePack] Success!");
     return Buffer.from(responseStr);
   } catch (err) {
     console.error("[ReceivePack] Error:", err);
@@ -265,6 +224,14 @@ function parsePktLines(data: Buffer): string[] {
 }
 
 export async function GET(request: NextRequest, { params }: { params: Promise<{ path: string[] }> }) {
+  const rateLimitResult = rateLimit(request, "git", { limit: 100, windowMs: 60000 });
+  if (!rateLimitResult.success) {
+    return new NextResponse("Too Many Requests", {
+      status: 429,
+      headers: { "Retry-After": Math.ceil((rateLimitResult.resetAt - Date.now()) / 1000).toString() },
+    });
+  }
+
   const { path: pathSegments } = await params;
   const parsed = parseGitPath(pathSegments);
 
@@ -291,7 +258,7 @@ export async function GET(request: NextRequest, { params }: { params: Promise<{
   }
 
   if (repo.visibility === "private") {
-    const user = await authenticateUser(request.headers.get("authorization"));
+    const user = await authenticateRequest(request);
     if (!user || user.id !== repo.ownerId) {
       return new NextResponse("Unauthorized", {
         status: 401,
@@ -305,7 +272,7 @@ export async function GET(request: NextRequest, { params }: { params: Promise<{
 
     if (serviceQuery === "git-upload-pack" || serviceQuery === "git-receive-pack") {
       if (serviceQuery === "git-receive-pack") {
-        const user = await authenticateUser(request.headers.get("authorization"));
+        const user = await authenticateRequest(request);
         if (!user || user.id !== repo.ownerId) {
           return new NextResponse("Unauthorized", {
             status: 401,
@@ -336,6 +303,14 @@ export async function GET(request: NextRequest, { params }: { params: Promise<{
 }
 
 export async function POST(request: NextRequest, { params }: { params: Promise<{ path: string[] }> }) {
+  const rateLimitResult = rateLimit(request, "git", { limit: 30, windowMs: 60000 });
+  if (!rateLimitResult.success) {
+    return new NextResponse("Too Many Requests", {
+      status: 429,
+      headers: { "Retry-After": Math.ceil((rateLimitResult.resetAt - Date.now()) / 1000).toString() },
+    });
+  }
+
   const { path: pathSegments } = await params;
   const parsed = parseGitPath(pathSegments);
 
@@ -365,7 +340,7 @@ export async function POST(request: NextRequest, { params }: { params: Promise<{
     return new NextResponse("Repository not found", { status: 404 });
   }
 
-  const user = await authenticateUser(request.headers.get("authorization"));
+  const user = await authenticateRequest(request);
 
   if (action === "git-receive-pack") {
     if (!user || user.id !== repo.ownerId) {
diff --git a/lib/api-auth.ts b/lib/api-auth.ts
new file mode 100644
index 0000000..292741b
--- /dev/null
+++ b/lib/api-auth.ts
@@ -0,0 +1,69 @@
+import { NextRequest } from "next/server";
+import { db } from "@/db";
+import { users } from "@/db/schema";
+import { eq } from "drizzle-orm";
+import { auth } from "@/lib/auth";
+import { getSession } from "@/lib/session";
+
+export interface AuthenticatedUser {
+  id: string;
+  username: string;
+}
+
+export async function authenticateRequest(request: NextRequest): Promise<AuthenticatedUser | null> {
+  const session = await getSession();
+  if (session?.user) {
+    const user = await db.query.users.findFirst({
+      where: eq(users.id, session.user.id),
+    });
+    if (user) {
+      return { id: user.id, username: user.username };
+    }
+  }
+
+  const authHeader = request.headers.get("authorization");
+  if (authHeader?.startsWith("Basic ")) {
+    const credentials = Buffer.from(authHeader.split(" ")[1], "base64").toString("utf-8");
+    const [email, password] = credentials.split(":");
+    if (email && password) {
+      try {
+        const result = await auth.api.signInEmail({
+          body: { email, password },
+          asResponse: false,
+        });
+
+        if (result?.user) {
+          const user = await db.query.users.findFirst({
+            where: eq(users.email, email),
+          });
+          if (user) {
+            return { id: user.id, username: user.username };
+          }
+        }
+      } catch {
+        return null;
+      }
+    }
+  }
+
+  const bearerMatch = request.headers.get("authorization")?.match(/^Bearer (.+)$/);
+  if (bearerMatch) {
+    try {
+      const tokenSession = await auth.api.getSession({
+        headers: request.headers,
+      });
+      if (tokenSession?.user) {
+        const user = await db.query.users.findFirst({
+          where: eq(users.id, tokenSession.user.id),
+        });
+        if (user) {
+          return { id: user.id, username: user.username };
+        }
+      }
+    } catch {
+      return null;
+    }
+  }
+
+  return null;
+}
diff --git a/lib/r2-fs.ts b/lib/r2-fs.ts
index 0a50668..34341c3 100644
--- a/lib/r2-fs.ts
+++ b/lib/r2-fs.ts
@@ -178,3 +178,5 @@ export function createR2Fs(repoPrefix: string) {
 export function getRepoPrefix(userId: string, repoName: string): string {
   return `repos/${userId}/${repoName}`;
 }
+
+export type R2Fs = ReturnType<typeof createR2Fs>;
diff --git a/lib/rate-limit.ts b/lib/rate-limit.ts
new file mode 100644
index 0000000..844e5b4
--- /dev/null
+++ b/lib/rate-limit.ts
@@ -0,0 +1,96 @@
+import { NextRequest, NextResponse } from "next/server";
+
+interface RateLimitEntry {
+  count: number;
+  resetAt: number;
+}
+
+const store = new Map<string, RateLimitEntry>();
+
+setInterval(() => {
+  const now = Date.now();
+  for (const [key, entry] of store) {
+    if (entry.resetAt < now) {
+      store.delete(key);
+    }
+  }
+}, 60000);
+
+export interface RateLimitConfig {
+  limit: number;
+  windowMs: number;
+}
+
+const DEFAULT_CONFIG: RateLimitConfig = {
+  limit: 60,
+  windowMs: 60 * 1000,
+};
+
+function getClientIp(request: NextRequest): string {
+  const xff = request.headers.get("x-forwarded-for");
+  if (xff) {
+    return xff.split(",")[0].trim();
+  }
+  const realIp = request.headers.get("x-real-ip");
+  if (realIp) {
+    return realIp;
+  }
+  return "unknown";
+}
+
+export function rateLimit(
+  request: NextRequest,
+  identifier?: string,
+  config: Partial<RateLimitConfig> = {}
+): { success: boolean; remaining: number; resetAt: number } {
+  const { limit, windowMs } = { ...DEFAULT_CONFIG, ...config };
+  const ip = getClientIp(request);
+  const key = identifier ? `${ip}:${identifier}` : ip;
+  const now = Date.now();
+
+  let entry = store.get(key);
+
+  if (!entry || entry.resetAt < now) {
+    entry = { count: 0, resetAt: now + windowMs };
+    store.set(key, entry);
+  }
+
+  entry.count++;
+
+  return {
+    success: entry.count <= limit,
+    remaining: Math.max(0, limit - entry.count),
+    resetAt: entry.resetAt,
+  };
+}
+
+export function withRateLimit(
+  handler: (request: NextRequest, context: any) => Promise<NextResponse>,
+  config: Partial<RateLimitConfig> & { identifier?: string } = {}
+) {
+  return async (request: NextRequest, context: any): Promise<NextResponse> => {
+    const { identifier, ...rateLimitConfig } = config;
+    const result = rateLimit(request, identifier, rateLimitConfig);
+
+    if (!result.success) {
+      return new NextResponse("Too Many Requests", {
+        status: 429,
+        headers: {
+          "Retry-After": Math.ceil((result.resetAt - Date.now()) / 1000).toString(),
+          "X-RateLimit-Limit": (rateLimitConfig.limit || DEFAULT_CONFIG.limit).toString(),
+          "X-RateLimit-Remaining": "0",
+          "X-RateLimit-Reset": result.resetAt.toString(),
+        },
+      });
+    }
+
+    const response = await handler(request, context);
+
+    response.headers.set("X-RateLimit-Limit", (rateLimitConfig.limit || DEFAULT_CONFIG.limit).toString());
+    response.headers.set("X-RateLimit-Remaining", result.remaining.toString());
+    response.headers.set("X-RateLimit-Reset", result.resetAt.toString());
+
+    return response;
+  };
+}
+