apps/api/src/federation/identity-linking.controller.spec.ts

@@ -90,6 +90,15 @@ describe("IdentityLinkingController", () => {
   });
 
   describe("POST /identity/verify", () => {
+    it("should have AuthGuard and Throttle decorators applied", () => {
+      // Verify that the endpoint has proper guards and rate limiting
+      const verifyMetadata = Reflect.getMetadata(
+        "__guards__",
+        IdentityLinkingController.prototype.verifyIdentity
+      );
+      expect(verifyMetadata).toBeDefined();
+    });
+
     it("should verify identity with valid request", async () => {
       const dto: VerifyIdentityDto = {
         localUserId: "local-user-id",

apps/api/src/federation/identity-linking.controller.ts

@@ -5,6 +5,7 @@
  */
 
 import { Controller, Post, Get, Patch, Delete, Body, Param, UseGuards } from "@nestjs/common";
+import { Throttle } from "@nestjs/throttler";
 import { AuthGuard } from "../auth/guards/auth.guard";
 import { IdentityLinkingService } from "./identity-linking.service";
 import { IdentityResolutionService } from "./identity-resolution.service";
@@ -45,8 +46,11 @@ export class IdentityLinkingController {
    *
    * Verify a user's identity from a remote instance.
    * Validates signature and OIDC token.
+   * Rate limit: "strict" tier (10 req/min) - public endpoint requiring authentication
    */
   @Post("verify")
+  @UseGuards(AuthGuard)
+  @Throttle({ strict: { limit: 10, ttl: 60000 } })
   async verifyIdentity(@Body() dto: VerifyIdentityDto): Promise<IdentityVerificationResponse> {
     return this.identityLinkingService.verifyIdentity(dto);
   }