From ad5406a5d7b2d889d68691cd7befff6bcd2869c7 Mon Sep 17 00:00:00 2001
From: Spencer Twaddle <7374698+stwaddle@users.noreply.github.com>
Date: Sat, 20 Jun 2026 13:43:18 -0500
Subject: [PATCH] Fix middleware execution order so rate limiting comes after
 authentication.

---
 src/Budget.Api/Program.cs | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/src/Budget.Api/Program.cs b/src/Budget.Api/Program.cs
index e53b3a4..feb4fc5 100644
--- a/src/Budget.Api/Program.cs
+++ b/src/Budget.Api/Program.cs
@@ -171,12 +171,14 @@ using (var scope = app.Services.CreateScope())
 app.UseForwardedHeaders();
 app.UseMiddleware<ErrorHandlingMiddleware>();
 
-app.UseRateLimiter();
-
 app.UseDefaultFiles();
 app.UseStaticFiles();
 
+// Authentication must run before the rate limiter so limiter partitions can
+// read the validated "sub" claim; otherwise every authenticated request falls
+// back to the per-IP bucket (auth-hardening-review.md, finding B-1).
 app.UseAuthentication();
+app.UseRateLimiter();
 app.UseAuthorization();
 
 app.MapControllers();