Finish adding limits checks to all put and post

2026-02-10 20:02:26 +00:00 · 2026-02-10 10:52:40 -08:00
parent 035396f95c
commit af7263a0b1
5 changed files with 91 additions and 6 deletions
--- a/server/middlewares/verifyLimits.ts
+++ b/server/middlewares/verifyLimits.ts
@@ -17,7 +17,7 @@ export async function verifyLimits(
        return next();
    }

-    const orgId = req.userOrgId || req.params.orgId;
+    const orgId = req.userOrgId || req.apiKeyOrg?.orgId || req.params.orgId;

    if (!orgId) {
        return next(); // its fine if we silently fail here because this is not critical to operation or security and its better user experience if we dont fail
--- a/server/private/routers/external.ts
+++ b/server/private/routers/external.ts
@@ -31,7 +31,8 @@ import {
    verifyUserHasAction,
    verifyUserIsServerAdmin,
    verifySiteAccess,
-    verifyClientAccess
+    verifyClientAccess,
+    verifyLimits
 } from "@server/middlewares";
 import { ActionsEnum } from "@server/auth/actions";
 import {
@@ -79,6 +80,7 @@ authenticated.put(
    verifyValidLicense,
    verifyValidSubscription(tierMatrix.orgOidc),
    verifyOrgAccess,
+    verifyLimits,
    verifyUserHasAction(ActionsEnum.createIdp),
    logActionAudit(ActionsEnum.createIdp),
    orgIdp.createOrgOidcIdp
@@ -90,6 +92,7 @@ authenticated.post(
    verifyValidSubscription(tierMatrix.orgOidc),
    verifyOrgAccess,
    verifyIdpAccess,
+    verifyLimits,
    verifyUserHasAction(ActionsEnum.updateIdp),
    logActionAudit(ActionsEnum.updateIdp),
    orgIdp.updateOrgOidcIdp
@@ -138,6 +141,7 @@ authenticated.post(
    verifyValidLicense,
    verifyOrgAccess,
    verifyCertificateAccess,
+    verifyLimits,
    verifyUserHasAction(ActionsEnum.restartCertificate),
    logActionAudit(ActionsEnum.restartCertificate),
    certificates.restartCertificate
@@ -237,6 +241,7 @@ authenticated.put(
    "/org/:orgId/remote-exit-node",
    verifyValidLicense,
    verifyOrgAccess,
+    verifyLimits,
    verifyUserHasAction(ActionsEnum.createRemoteExitNode),
    logActionAudit(ActionsEnum.createRemoteExitNode),
    remoteExitNode.createRemoteExitNode
@@ -282,6 +287,7 @@ authenticated.put(
    verifyValidLicense,
    verifyValidSubscription(tierMatrix.loginPageDomain),
    verifyOrgAccess,
+    verifyLimits,
    verifyUserHasAction(ActionsEnum.createLoginPage),
    logActionAudit(ActionsEnum.createLoginPage),
    loginPage.createLoginPage
@@ -293,6 +299,7 @@ authenticated.post(
    verifyValidSubscription(tierMatrix.loginPageDomain),
    verifyOrgAccess,
    verifyLoginPageAccess,
+    verifyLimits,
    verifyUserHasAction(ActionsEnum.updateLoginPage),
    logActionAudit(ActionsEnum.updateLoginPage),
    loginPage.updateLoginPage
@@ -338,6 +345,7 @@ authenticated.put(
    verifyValidLicense,
    verifyValidSubscription(tierMatrix.deviceApprovals),
    verifyOrgAccess,
+    verifyLimits,
    verifyUserHasAction(ActionsEnum.updateApprovals),
    logActionAudit(ActionsEnum.updateApprovals),
    approval.processPendingApproval
@@ -358,6 +366,7 @@ authenticated.put(
    verifyValidLicense,
    verifyValidSubscription(tierMatrix.loginPageBranding),
    verifyOrgAccess,
+    verifyLimits,
    verifyUserHasAction(ActionsEnum.updateLoginPage),
    logActionAudit(ActionsEnum.updateLoginPage),
    loginPage.upsertLoginPageBranding
@@ -470,18 +479,20 @@ authenticated.get(

 authenticated.post(
    "/re-key/:clientId/regenerate-client-secret",
-    verifyClientAccess, // this is first to set the org id
    verifyValidLicense,
    verifyValidSubscription(tierMatrix.rotateCredentials),
+    verifyClientAccess, // this is first to set the org id
+    verifyLimits,
    verifyUserHasAction(ActionsEnum.reGenerateSecret),
    reKey.reGenerateClientSecret
 );

 authenticated.post(
    "/re-key/:siteId/regenerate-site-secret",
-    verifySiteAccess, // this is first to set the org id
    verifyValidLicense,
    verifyValidSubscription(tierMatrix.rotateCredentials),
+    verifySiteAccess, // this is first to set the org id
+    verifyLimits,
    verifyUserHasAction(ActionsEnum.reGenerateSecret),
    reKey.reGenerateSiteSecret
 );
@@ -491,6 +502,7 @@ authenticated.put(
    verifyValidLicense,
    verifyValidSubscription(tierMatrix.rotateCredentials),
    verifyOrgAccess,
+    verifyLimits,
    verifyUserHasAction(ActionsEnum.reGenerateSecret),
    reKey.reGenerateExitNodeSecret
 );
--- a/server/private/routers/integration.ts
+++ b/server/private/routers/integration.ts
@@ -19,7 +19,8 @@ import {
    verifyApiKeyHasAction,
    verifyApiKeyIsRoot,
    verifyApiKeyOrgAccess,
-    verifyApiKeyIdpAccess
+    verifyApiKeyIdpAccess,
+    verifyLimits
 } from "@server/middlewares";
 import {
    verifyValidSubscription,
@@ -95,6 +96,7 @@ authenticated.put(
    verifyValidLicense,
    verifyValidSubscription(tierMatrix.orgOidc),
    verifyApiKeyOrgAccess,
+    verifyLimits,
    verifyApiKeyHasAction(ActionsEnum.createIdp),
    logActionAudit(ActionsEnum.createIdp),
    orgIdp.createOrgOidcIdp
@@ -106,6 +108,7 @@ authenticated.post(
    verifyValidSubscription(tierMatrix.orgOidc),
    verifyApiKeyOrgAccess,
    verifyApiKeyIdpAccess,
+    verifyLimits,
    verifyApiKeyHasAction(ActionsEnum.updateIdp),
    logActionAudit(ActionsEnum.updateIdp),
    orgIdp.updateOrgOidcIdp
--- a/server/routers/external.ts
+++ b/server/routers/external.ts
@@ -561,6 +561,7 @@ authenticated.get(
 authenticated.post(
    "/resource/:resourceId/rule/:ruleId",
    verifyResourceAccess,
+    verifyLimits,
    verifyUserHasAction(ActionsEnum.updateResourceRule),
    logActionAudit(ActionsEnum.updateResourceRule),
    resource.updateResourceRule
@@ -582,6 +583,7 @@ authenticated.get(
 authenticated.post(
    "/target/:targetId",
    verifyTargetAccess,
+    verifyLimits,
    verifyUserHasAction(ActionsEnum.updateTarget),
    logActionAudit(ActionsEnum.updateTarget),
    target.updateTarget
@@ -612,6 +614,7 @@ authenticated.get(
 authenticated.post(
    "/role/:roleId",
    verifyRoleAccess,
+    verifyLimits,
    verifyUserHasAction(ActionsEnum.updateRole),
    logActionAudit(ActionsEnum.updateRole),
    role.updateRole
@@ -640,6 +643,7 @@ authenticated.post(
    "/role/:roleId/add/:userId",
    verifyRoleAccess,
    verifyUserAccess,
+    verifyLimits,
    verifyUserHasAction(ActionsEnum.addUserRole),
    logActionAudit(ActionsEnum.addUserRole),
    user.addUserRole
@@ -649,6 +653,7 @@ authenticated.post(
    "/resource/:resourceId/roles",
    verifyResourceAccess,
    verifyRoleAccess,
+    verifyLimits,
    verifyUserHasAction(ActionsEnum.setResourceRoles),
    logActionAudit(ActionsEnum.setResourceRoles),
    resource.setResourceRoles
@@ -658,6 +663,7 @@ authenticated.post(
    "/resource/:resourceId/users",
    verifyResourceAccess,
    verifySetResourceUsers,
+    verifyLimits,
    verifyUserHasAction(ActionsEnum.setResourceUsers),
    logActionAudit(ActionsEnum.setResourceUsers),
    resource.setResourceUsers
@@ -666,6 +672,7 @@ authenticated.post(
 authenticated.post(
    `/resource/:resourceId/password`,
    verifyResourceAccess,
+    verifyLimits,
    verifyUserHasAction(ActionsEnum.setResourcePassword),
    logActionAudit(ActionsEnum.setResourcePassword),
    resource.setResourcePassword
@@ -674,6 +681,7 @@ authenticated.post(
 authenticated.post(
    `/resource/:resourceId/pincode`,
    verifyResourceAccess,
+    verifyLimits,
    verifyUserHasAction(ActionsEnum.setResourcePincode),
    logActionAudit(ActionsEnum.setResourcePincode),
    resource.setResourcePincode
@@ -682,6 +690,7 @@ authenticated.post(
 authenticated.post(
    `/resource/:resourceId/header-auth`,
    verifyResourceAccess,
+    verifyLimits,
    verifyUserHasAction(ActionsEnum.setResourceHeaderAuth),
    logActionAudit(ActionsEnum.setResourceHeaderAuth),
    resource.setResourceHeaderAuth
@@ -690,6 +699,7 @@ authenticated.post(
 authenticated.post(
    `/resource/:resourceId/whitelist`,
    verifyResourceAccess,
+    verifyLimits,
    verifyUserHasAction(ActionsEnum.setResourceWhitelist),
    logActionAudit(ActionsEnum.setResourceWhitelist),
    resource.setResourceWhitelist
@@ -705,6 +715,7 @@ authenticated.get(
 authenticated.post(
    `/resource/:resourceId/access-token`,
    verifyResourceAccess,
+    verifyLimits,
    verifyUserHasAction(ActionsEnum.generateAccessToken),
    logActionAudit(ActionsEnum.generateAccessToken),
    accessToken.generateAccessToken
@@ -805,6 +816,7 @@ authenticated.post(
    "/org/:orgId/user/:userId",
    verifyOrgAccess,
    verifyUserAccess,
+    verifyLimits,
    verifyUserHasAction(ActionsEnum.updateOrgUser),
    logActionAudit(ActionsEnum.updateOrgUser),
    user.updateOrgUser
@@ -877,6 +889,7 @@ authenticated.post(
    "/user/:userId/olm/:olmId/archive",
    verifyIsLoggedInUser,
    verifyOlmAccess,
+    verifyLimits,
    olm.archiveUserOlm
 );

@@ -991,6 +1004,7 @@ authenticated.post(
    `/org/:orgId/api-key/:apiKeyId/actions`,
    verifyOrgAccess,
    verifyApiKeyAccess,
+    verifyLimits,
    verifyUserHasAction(ActionsEnum.setApiKeyActions),
    logActionAudit(ActionsEnum.setApiKeyActions),
    apiKeys.setApiKeyActions
@@ -1043,6 +1057,7 @@ authenticated.post(
    `/org/:orgId/domain/:domainId/restart`,
    verifyOrgAccess,
    verifyDomainAccess,
+    verifyLimits,
    verifyUserHasAction(ActionsEnum.restartOrgDomain),
    logActionAudit(ActionsEnum.restartOrgDomain),
    domain.restartOrgDomain
--- a/server/routers/integration.ts
+++ b/server/routers/integration.ts
@@ -26,7 +26,8 @@ import {
    verifyApiKeyIsRoot,
    verifyApiKeyClientAccess,
    verifyApiKeySiteResourceAccess,
-    verifyApiKeySetResourceClients
+    verifyApiKeySetResourceClients,
+    verifyLimits
 } from "@server/middlewares";
 import HttpCode from "@server/types/HttpCode";
 import { Router } from "express";
@@ -74,6 +75,7 @@ authenticated.get(
 authenticated.post(
    "/org/:orgId",
    verifyApiKeyOrgAccess,
+    verifyLimits,
    verifyApiKeyHasAction(ActionsEnum.updateOrg),
    logActionAudit(ActionsEnum.updateOrg),
    org.updateOrg
@@ -90,6 +92,7 @@ authenticated.delete(
 authenticated.put(
    "/org/:orgId/site",
    verifyApiKeyOrgAccess,
+    verifyLimits,
    verifyApiKeyHasAction(ActionsEnum.createSite),
    logActionAudit(ActionsEnum.createSite),
    site.createSite
@@ -126,6 +129,7 @@ authenticated.get(
 authenticated.post(
    "/site/:siteId",
    verifyApiKeySiteAccess,
+    verifyLimits,
    verifyApiKeyHasAction(ActionsEnum.updateSite),
    logActionAudit(ActionsEnum.updateSite),
    site.updateSite
@@ -148,6 +152,7 @@ authenticated.get(
 authenticated.put(
    "/org/:orgId/site-resource",
    verifyApiKeyOrgAccess,
+    verifyLimits,
    verifyApiKeyHasAction(ActionsEnum.createSiteResource),
    logActionAudit(ActionsEnum.createSiteResource),
    siteResource.createSiteResource
@@ -178,6 +183,7 @@ authenticated.get(
 authenticated.post(
    "/site-resource/:siteResourceId",
    verifyApiKeySiteResourceAccess,
+    verifyLimits,
    verifyApiKeyHasAction(ActionsEnum.updateSiteResource),
    logActionAudit(ActionsEnum.updateSiteResource),
    siteResource.updateSiteResource
@@ -216,6 +222,7 @@ authenticated.post(
    "/site-resource/:siteResourceId/roles",
    verifyApiKeySiteResourceAccess,
    verifyApiKeyRoleAccess,
+    verifyLimits,
    verifyApiKeyHasAction(ActionsEnum.setResourceRoles),
    logActionAudit(ActionsEnum.setResourceRoles),
    siteResource.setSiteResourceRoles
@@ -225,6 +232,7 @@ authenticated.post(
    "/site-resource/:siteResourceId/users",
    verifyApiKeySiteResourceAccess,
    verifyApiKeySetResourceUsers,
+    verifyLimits,
    verifyApiKeyHasAction(ActionsEnum.setResourceUsers),
    logActionAudit(ActionsEnum.setResourceUsers),
    siteResource.setSiteResourceUsers
@@ -234,6 +242,7 @@ authenticated.post(
    "/site-resource/:siteResourceId/roles/add",
    verifyApiKeySiteResourceAccess,
    verifyApiKeyRoleAccess,
+    verifyLimits,
    verifyApiKeyHasAction(ActionsEnum.setResourceRoles),
    logActionAudit(ActionsEnum.setResourceRoles),
    siteResource.addRoleToSiteResource
@@ -243,6 +252,7 @@ authenticated.post(
    "/site-resource/:siteResourceId/roles/remove",
    verifyApiKeySiteResourceAccess,
    verifyApiKeyRoleAccess,
+    verifyLimits,
    verifyApiKeyHasAction(ActionsEnum.setResourceRoles),
    logActionAudit(ActionsEnum.setResourceRoles),
    siteResource.removeRoleFromSiteResource
@@ -252,6 +262,7 @@ authenticated.post(
    "/site-resource/:siteResourceId/users/add",
    verifyApiKeySiteResourceAccess,
    verifyApiKeySetResourceUsers,
+    verifyLimits,
    verifyApiKeyHasAction(ActionsEnum.setResourceUsers),
    logActionAudit(ActionsEnum.setResourceUsers),
    siteResource.addUserToSiteResource
@@ -261,6 +272,7 @@ authenticated.post(
    "/site-resource/:siteResourceId/users/remove",
    verifyApiKeySiteResourceAccess,
    verifyApiKeySetResourceUsers,
+    verifyLimits,
    verifyApiKeyHasAction(ActionsEnum.setResourceUsers),
    logActionAudit(ActionsEnum.setResourceUsers),
    siteResource.removeUserFromSiteResource
@@ -270,6 +282,7 @@ authenticated.post(
    "/site-resource/:siteResourceId/clients",
    verifyApiKeySiteResourceAccess,
    verifyApiKeySetResourceClients,
+    verifyLimits,
    verifyApiKeyHasAction(ActionsEnum.setResourceUsers),
    logActionAudit(ActionsEnum.setResourceUsers),
    siteResource.setSiteResourceClients
@@ -279,6 +292,7 @@ authenticated.post(
    "/site-resource/:siteResourceId/clients/add",
    verifyApiKeySiteResourceAccess,
    verifyApiKeySetResourceClients,
+    verifyLimits,
    verifyApiKeyHasAction(ActionsEnum.setResourceUsers),
    logActionAudit(ActionsEnum.setResourceUsers),
    siteResource.addClientToSiteResource
@@ -288,6 +302,7 @@ authenticated.post(
    "/site-resource/:siteResourceId/clients/remove",
    verifyApiKeySiteResourceAccess,
    verifyApiKeySetResourceClients,
+    verifyLimits,
    verifyApiKeyHasAction(ActionsEnum.setResourceUsers),
    logActionAudit(ActionsEnum.setResourceUsers),
    siteResource.removeClientFromSiteResource
@@ -296,6 +311,7 @@ authenticated.post(
 authenticated.put(
    "/org/:orgId/resource",
    verifyApiKeyOrgAccess,
+    verifyLimits,
    verifyApiKeyHasAction(ActionsEnum.createResource),
    logActionAudit(ActionsEnum.createResource),
    resource.createResource
@@ -304,6 +320,7 @@ authenticated.put(
 authenticated.put(
    "/org/:orgId/site/:siteId/resource",
    verifyApiKeyOrgAccess,
+    verifyLimits,
    verifyApiKeyHasAction(ActionsEnum.createResource),
    logActionAudit(ActionsEnum.createResource),
    resource.createResource
@@ -340,6 +357,7 @@ authenticated.get(
 authenticated.post(
    "/org/:orgId/create-invite",
    verifyApiKeyOrgAccess,
+    verifyLimits,
    verifyApiKeyHasAction(ActionsEnum.inviteUser),
    logActionAudit(ActionsEnum.inviteUser),
    user.inviteUser
@@ -377,6 +395,7 @@ authenticated.get(
 authenticated.post(
    "/resource/:resourceId",
    verifyApiKeyResourceAccess,
+    verifyLimits,
    verifyApiKeyHasAction(ActionsEnum.updateResource),
    logActionAudit(ActionsEnum.updateResource),
    resource.updateResource
@@ -393,6 +412,7 @@ authenticated.delete(
 authenticated.put(
    "/resource/:resourceId/target",
    verifyApiKeyResourceAccess,
+    verifyLimits,
    verifyApiKeyHasAction(ActionsEnum.createTarget),
    logActionAudit(ActionsEnum.createTarget),
    target.createTarget
@@ -408,6 +428,7 @@ authenticated.get(
 authenticated.put(
    "/resource/:resourceId/rule",
    verifyApiKeyResourceAccess,
+    verifyLimits,
    verifyApiKeyHasAction(ActionsEnum.createResourceRule),
    logActionAudit(ActionsEnum.createResourceRule),
    resource.createResourceRule
@@ -423,6 +444,7 @@ authenticated.get(
 authenticated.post(
    "/resource/:resourceId/rule/:ruleId",
    verifyApiKeyResourceAccess,
+    verifyLimits,
    verifyApiKeyHasAction(ActionsEnum.updateResourceRule),
    logActionAudit(ActionsEnum.updateResourceRule),
    resource.updateResourceRule
@@ -446,6 +468,7 @@ authenticated.get(
 authenticated.post(
    "/target/:targetId",
    verifyApiKeyTargetAccess,
+    verifyLimits,
    verifyApiKeyHasAction(ActionsEnum.updateTarget),
    logActionAudit(ActionsEnum.updateTarget),
    target.updateTarget
@@ -462,6 +485,7 @@ authenticated.delete(
 authenticated.put(
    "/org/:orgId/role",
    verifyApiKeyOrgAccess,
+    verifyLimits,
    verifyApiKeyHasAction(ActionsEnum.createRole),
    logActionAudit(ActionsEnum.createRole),
    role.createRole
@@ -470,6 +494,7 @@ authenticated.put(
 authenticated.post(
    "/role/:roleId",
    verifyApiKeyRoleAccess,
+    verifyLimits,
    verifyApiKeyHasAction(ActionsEnum.updateRole),
    logActionAudit(ActionsEnum.updateRole),
    role.updateRole
@@ -501,6 +526,7 @@ authenticated.post(
    "/role/:roleId/add/:userId",
    verifyApiKeyRoleAccess,
    verifyApiKeyUserAccess,
+    verifyLimits,
    verifyApiKeyHasAction(ActionsEnum.addUserRole),
    logActionAudit(ActionsEnum.addUserRole),
    user.addUserRole
@@ -510,6 +536,7 @@ authenticated.post(
    "/resource/:resourceId/roles",
    verifyApiKeyResourceAccess,
    verifyApiKeyRoleAccess,
+    verifyLimits,
    verifyApiKeyHasAction(ActionsEnum.setResourceRoles),
    logActionAudit(ActionsEnum.setResourceRoles),
    resource.setResourceRoles
@@ -519,6 +546,7 @@ authenticated.post(
    "/resource/:resourceId/users",
    verifyApiKeyResourceAccess,
    verifyApiKeySetResourceUsers,
+    verifyLimits,
    verifyApiKeyHasAction(ActionsEnum.setResourceUsers),
    logActionAudit(ActionsEnum.setResourceUsers),
    resource.setResourceUsers
@@ -528,6 +556,7 @@ authenticated.post(
    "/resource/:resourceId/roles/add",
    verifyApiKeyResourceAccess,
    verifyApiKeyRoleAccess,
+    verifyLimits,
    verifyApiKeyHasAction(ActionsEnum.setResourceRoles),
    logActionAudit(ActionsEnum.setResourceRoles),
    resource.addRoleToResource
@@ -537,6 +566,7 @@ authenticated.post(
    "/resource/:resourceId/roles/remove",
    verifyApiKeyResourceAccess,
    verifyApiKeyRoleAccess,
+    verifyLimits,
    verifyApiKeyHasAction(ActionsEnum.setResourceRoles),
    logActionAudit(ActionsEnum.setResourceRoles),
    resource.removeRoleFromResource
@@ -546,6 +576,7 @@ authenticated.post(
    "/resource/:resourceId/users/add",
    verifyApiKeyResourceAccess,
    verifyApiKeySetResourceUsers,
+    verifyLimits,
    verifyApiKeyHasAction(ActionsEnum.setResourceUsers),
    logActionAudit(ActionsEnum.setResourceUsers),
    resource.addUserToResource
@@ -555,6 +586,7 @@ authenticated.post(
    "/resource/:resourceId/users/remove",
    verifyApiKeyResourceAccess,
    verifyApiKeySetResourceUsers,
+    verifyLimits,
    verifyApiKeyHasAction(ActionsEnum.setResourceUsers),
    logActionAudit(ActionsEnum.setResourceUsers),
    resource.removeUserFromResource
@@ -563,6 +595,7 @@ authenticated.post(
 authenticated.post(
    `/resource/:resourceId/password`,
    verifyApiKeyResourceAccess,
+    verifyLimits,
    verifyApiKeyHasAction(ActionsEnum.setResourcePassword),
    logActionAudit(ActionsEnum.setResourcePassword),
    resource.setResourcePassword
@@ -571,6 +604,7 @@ authenticated.post(
 authenticated.post(
    `/resource/:resourceId/pincode`,
    verifyApiKeyResourceAccess,
+    verifyLimits,
    verifyApiKeyHasAction(ActionsEnum.setResourcePincode),
    logActionAudit(ActionsEnum.setResourcePincode),
    resource.setResourcePincode
@@ -579,6 +613,7 @@ authenticated.post(
 authenticated.post(
    `/resource/:resourceId/header-auth`,
    verifyApiKeyResourceAccess,
+    verifyLimits,
    verifyApiKeyHasAction(ActionsEnum.setResourceHeaderAuth),
    logActionAudit(ActionsEnum.setResourceHeaderAuth),
    resource.setResourceHeaderAuth
@@ -587,6 +622,7 @@ authenticated.post(
 authenticated.post(
    `/resource/:resourceId/whitelist`,
    verifyApiKeyResourceAccess,
+    verifyLimits,
    verifyApiKeyHasAction(ActionsEnum.setResourceWhitelist),
    logActionAudit(ActionsEnum.setResourceWhitelist),
    resource.setResourceWhitelist
@@ -595,6 +631,7 @@ authenticated.post(
 authenticated.post(
    `/resource/:resourceId/whitelist/add`,
    verifyApiKeyResourceAccess,
+    verifyLimits,
    verifyApiKeyHasAction(ActionsEnum.setResourceWhitelist),
    resource.addEmailToResourceWhitelist
 );
@@ -602,6 +639,7 @@ authenticated.post(
 authenticated.post(
    `/resource/:resourceId/whitelist/remove`,
    verifyApiKeyResourceAccess,
+    verifyLimits,
    verifyApiKeyHasAction(ActionsEnum.setResourceWhitelist),
    resource.removeEmailFromResourceWhitelist
 );
@@ -616,6 +654,7 @@ authenticated.get(
 authenticated.post(
    `/resource/:resourceId/access-token`,
    verifyApiKeyResourceAccess,
+    verifyLimits,
    verifyApiKeyHasAction(ActionsEnum.generateAccessToken),
    logActionAudit(ActionsEnum.generateAccessToken),
    accessToken.generateAccessToken
@@ -653,6 +692,7 @@ authenticated.get(
 authenticated.post(
    "/user/:userId/2fa",
    verifyApiKeyIsRoot,
+    verifyLimits,
    verifyApiKeyHasAction(ActionsEnum.updateUser),
    logActionAudit(ActionsEnum.updateUser),
    user.updateUser2FA
@@ -675,6 +715,7 @@ authenticated.get(
 authenticated.put(
    "/org/:orgId/user",
    verifyApiKeyOrgAccess,
+    verifyLimits,
    verifyApiKeyHasAction(ActionsEnum.createOrgUser),
    logActionAudit(ActionsEnum.createOrgUser),
    user.createOrgUser
@@ -684,6 +725,7 @@ authenticated.post(
    "/org/:orgId/user/:userId",
    verifyApiKeyOrgAccess,
    verifyApiKeyUserAccess,
+    verifyLimits,
    verifyApiKeyHasAction(ActionsEnum.updateOrgUser),
    logActionAudit(ActionsEnum.updateOrgUser),
    user.updateOrgUser
@@ -714,6 +756,7 @@ authenticated.get(
 authenticated.post(
    `/org/:orgId/api-key/:apiKeyId/actions`,
    verifyApiKeyIsRoot,
+    verifyLimits,
    verifyApiKeyHasAction(ActionsEnum.setApiKeyActions),
    logActionAudit(ActionsEnum.setApiKeyActions),
    apiKeys.setApiKeyActions
@@ -729,6 +772,7 @@ authenticated.get(
 authenticated.put(
    `/org/:orgId/api-key`,
    verifyApiKeyIsRoot,
+    verifyLimits,
    verifyApiKeyHasAction(ActionsEnum.createApiKey),
    logActionAudit(ActionsEnum.createApiKey),
    apiKeys.createOrgApiKey
@@ -745,6 +789,7 @@ authenticated.delete(
 authenticated.put(
    "/idp/oidc",
    verifyApiKeyIsRoot,
+    verifyLimits,
    verifyApiKeyHasAction(ActionsEnum.createIdp),
    logActionAudit(ActionsEnum.createIdp),
    idp.createOidcIdp
@@ -753,6 +798,7 @@ authenticated.put(
 authenticated.post(
    "/idp/:idpId/oidc",
    verifyApiKeyIsRoot,
+    verifyLimits,
    verifyApiKeyHasAction(ActionsEnum.updateIdp),
    logActionAudit(ActionsEnum.updateIdp),
    idp.updateOidcIdp
@@ -776,6 +822,7 @@ authenticated.get(
 authenticated.put(
    "/idp/:idpId/org/:orgId",
    verifyApiKeyIsRoot,
+    verifyLimits,
    verifyApiKeyHasAction(ActionsEnum.createIdpOrg),
    logActionAudit(ActionsEnum.createIdpOrg),
    idp.createIdpOrgPolicy
@@ -784,6 +831,7 @@ authenticated.put(
 authenticated.post(
    "/idp/:idpId/org/:orgId",
    verifyApiKeyIsRoot,
+    verifyLimits,
    verifyApiKeyHasAction(ActionsEnum.updateIdpOrg),
    logActionAudit(ActionsEnum.updateIdpOrg),
    idp.updateIdpOrgPolicy
@@ -828,6 +876,7 @@ authenticated.get(
 authenticated.put(
    "/org/:orgId/client",
    verifyApiKeyOrgAccess,
+    verifyLimits,
    verifyApiKeyHasAction(ActionsEnum.createClient),
    logActionAudit(ActionsEnum.createClient),
    client.createClient
@@ -854,6 +903,7 @@ authenticated.delete(
 authenticated.post(
    "/client/:clientId/archive",
    verifyApiKeyClientAccess,
+    verifyLimits,
    verifyApiKeyHasAction(ActionsEnum.archiveClient),
    logActionAudit(ActionsEnum.archiveClient),
    client.archiveClient
@@ -862,6 +912,7 @@ authenticated.post(
 authenticated.post(
    "/client/:clientId/unarchive",
    verifyApiKeyClientAccess,
+    verifyLimits,
    verifyApiKeyHasAction(ActionsEnum.unarchiveClient),
    logActionAudit(ActionsEnum.unarchiveClient),
    client.unarchiveClient
@@ -870,6 +921,7 @@ authenticated.post(
 authenticated.post(
    "/client/:clientId/block",
    verifyApiKeyClientAccess,
+    verifyLimits,
    verifyApiKeyHasAction(ActionsEnum.blockClient),
    logActionAudit(ActionsEnum.blockClient),
    client.blockClient
@@ -878,6 +930,7 @@ authenticated.post(
 authenticated.post(
    "/client/:clientId/unblock",
    verifyApiKeyClientAccess,
+    verifyLimits,
    verifyApiKeyHasAction(ActionsEnum.unblockClient),
    logActionAudit(ActionsEnum.unblockClient),
    client.unblockClient
@@ -886,6 +939,7 @@ authenticated.post(
 authenticated.post(
    "/client/:clientId",
    verifyApiKeyClientAccess,
+    verifyLimits,
    verifyApiKeyHasAction(ActionsEnum.updateClient),
    logActionAudit(ActionsEnum.updateClient),
    client.updateClient
@@ -894,6 +948,7 @@ authenticated.post(
 authenticated.put(
    "/org/:orgId/blueprint",
    verifyApiKeyOrgAccess,
+    verifyLimits,
    verifyApiKeyHasAction(ActionsEnum.applyBlueprint),
    logActionAudit(ActionsEnum.applyBlueprint),
    blueprints.applyJSONBlueprint