From 4aaa6a158987f42ff94243fa3d0772d3e7690d03 Mon Sep 17 00:00:00 2001
From: Ulas Kalayci <ulas.kalayci@googlemail.com>
Date: Sat, 9 May 2026 10:09:29 +0200
Subject: [PATCH] fix: rate-limit /manifest.webmanifest route (CodeQL #9)

Applies the existing apiLimiter middleware to the manifest route,
which performs a DB lookup without prior rate limiting.

Closes https://github.com/ulsklyc/oikos/security/code-scanning/9
---
 server/index.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/server/index.js b/server/index.js
index 442ea51..9f04c18 100644
--- a/server/index.js
+++ b/server/index.js
@@ -176,7 +176,7 @@ app.get('/api/v1/version', (req, res) => {
   res.json({ version: APP_VERSION, app_name: appName });
 });
 
-app.get('/manifest.webmanifest', (req, res) => {
+app.get('/manifest.webmanifest', apiLimiter, (req, res) => {
   let appName = DEFAULT_APP_NAME;
   try {
     const row = db.get().prepare('SELECT value FROM sync_config WHERE key = ?').get('app_name');