update

backend/src/app.ts

@@ -34,14 +34,20 @@ const authLimiter = rateLimit({
 });
 
 app.use('/api/auth', authLimiter);
-// General rate limiter — skip auth routes (they have their own limiter above)
+// General rate limiter — skip auth routes (own limiter above) and authenticated
+// requests (Bearer token present). Auth middleware validates the token downstream;
+// rate-limiting authenticated dashboard polling would cause 429 floods.
 app.use('/api', rateLimit({
   windowMs: environment.rateLimit.windowMs,
   max: environment.rateLimit.max,
   message: 'Too many requests from this IP, please try again later.',
   standardHeaders: true,
   legacyHeaders: false,
-  skip: (req) => req.path.startsWith('/auth'),
+  skip: (req) => {
+    if (req.path.startsWith('/auth')) return true;
+    const auth = req.headers.authorization;
+    return typeof auth === 'string' && auth.startsWith('Bearer ');
+  },
 }));
 
 // Body parsing middleware