refactor: centralize environment loading in main and refine auth route rate limiting

Author: aryasatya13

backend/cmd/server/cli.go

@@ -9,7 +9,6 @@ import (
 	"strings"
 	"text/tabwriter"
 
-	"github.com/joho/godotenv"
 	"github.com/waitless/waitless/internal/database"
 	"github.com/waitless/waitless/internal/models"
 	"github.com/waitless/waitless/internal/services"
@@ -22,8 +21,6 @@ func runCLI(args []string) {
 		os.Exit(0)
 	}
 
-	godotenv.Load()
-
 	switch args[0] {
 	case "users":
 		cmdListUsers()

backend/cmd/server/main.go

@@ -28,6 +28,9 @@ var (
 )
 
 func main() {
+	// Load .env first — before anything else
+	godotenv.Load()
+
 	// CLI subcommands
 	if len(os.Args) > 1 && os.Args[1] != "serve" {
 		runCLI(os.Args[1:])
@@ -36,9 +39,6 @@ func main() {
 
 	StartTime = time.Now()
 
-	// Load .env
-	godotenv.Load()
-
 	// Structured logging
 	logLevel := slog.LevelInfo
 	if os.Getenv("LOG_LEVEL") == "debug" {

backend/internal/api/router.go

@@ -60,7 +60,7 @@ func NewRouter(version string, startTime time.Time) http.Handler {
 		}, status)
 	})
 
-	// Public waitlist API
+	// Public waitlist API (separate rate limiter)
 	r.Route("/api/public", func(r chi.Router) {
 		r.Use(httprate.LimitByIP(20, time.Minute))
 		r.Get("/w/{slug}", GetProjectBySlug)
@@ -70,18 +70,22 @@ func NewRouter(version string, startTime time.Time) http.Handler {
 
 	// Auth routes
 	r.Route("/api/auth", func(r chi.Router) {
-		r.Use(httprate.LimitByIP(10, time.Minute))
-		r.Post("/register", Register)
-		r.Post("/login", Login)
+		// Rate limit only mutation endpoints (login/register/password reset)
+		r.Group(func(r chi.Router) {
+			r.Use(httprate.LimitByIP(10, time.Minute))
+			r.Post("/register", Register)
+			r.Post("/login", Login)
+			r.Post("/forgot-password", ForgotPassword)
+			r.Post("/reset-password", ResetPassword)
+		})
+		// Session endpoints — no rate limit (polled by dashboard)
 		r.Post("/logout", Logout)
-		r.Post("/forgot-password", ForgotPassword)
-		r.Post("/reset-password", ResetPassword)
 		r.With(authmw.AuthRequired).Get("/me", Me)
 		r.With(authmw.AuthRequired).Put("/me", UpdateProfile)
 		r.With(authmw.AuthRequired).Put("/me/password", ChangePassword)
 	})
 
-	// Dashboard API (authenticated)
+	// Dashboard API (authenticated, no shared rate limit with public)
 	r.Route("/api/dashboard", func(r chi.Router) {
 		r.Use(authmw.AuthRequired)