From 2e9e438baadb3e8a4d1913a851315514fa8c5809 Mon Sep 17 00:00:00 2001
From: Tetardtek <kvnn64@gmail.com>
Date: Sun, 5 Apr 2026 07:49:56 +0200
Subject: [PATCH] =?UTF-8?q?security:=20AuthGuard=20cache=20max=20size=20?=
 =?UTF-8?q?=E2=80=94=20eviction=20FIFO=201000=20entries?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 backend/src/auth/auth.guard.ts | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/backend/src/auth/auth.guard.ts b/backend/src/auth/auth.guard.ts
index 66d3cc5..402b07d 100644
--- a/backend/src/auth/auth.guard.ts
+++ b/backend/src/auth/auth.guard.ts
@@ -12,6 +12,7 @@ interface CacheEntry {
 }
 
 const TOKEN_CACHE_TTL_MS = 5 * 60 * 1000; // 5 minutes
+const MAX_CACHE_SIZE = 1000;
 
 @Injectable()
 export class AuthGuard implements CanActivate {
@@ -49,6 +50,10 @@ export class AuthGuard implements CanActivate {
 
     const user = await this.introspect(token);
     if (user) {
+      if (this.cache.size >= MAX_CACHE_SIZE) {
+        const oldest = this.cache.keys().next().value;
+        if (oldest) this.cache.delete(oldest);
+      }
       this.cache.set(token, {
         user,
         expiresAt: Date.now() + TOKEN_CACHE_TTL_MS,