some more after reading the source:
- JWT needs to be validated, as it is, your implementation[1] happily accepts anything, you can impersonate anyone you want. I'd argue that it's a bad default choice too [2]
- baking-in resend.com as email provider is unlikely to be useful for most people
- x-forwarded-for [3] is only added by proxy servers, and will often not be present. This means you'll be applying a shared rate limit to most of your users
- the 'ai' helper is missing from the code. If this is vibe-coded, having tests for the examples will help keep it cohesive
Sorry if this is a lot, I hope it can help.
[1] https://github.com/MatthewTheCoder1218/princejs/blob/main/sr...
[2] https://paragonie.com/blog/2017/03/jwt-json-web-tokens-is-ba...
[3] https://github.com/MatthewTheCoder1218/princejs/blob/main/sr...
Ok thanks. The ai is missing cause I couldn't fully implement it and I didn't want it half baked so I just took it out.