Add brute-force rate limiting to POST /api/auth/login #1009

New issue

Open

opened 2026-04-12 08:33:46 -04:00 by pook · 0 comments

pook commented

2026-04-12 08:33:46 -04:00

Owner

Add a dedicated rate limiter specifically on POST /api/auth/login that allows max 5 attempts per IP per 15-minute window.

Implementation:

Use express-rate-limit (or same library as PR #767)
Create a separate limiter instance: { windowMs: 15601000, max: 5 }
Apply it ONLY to the login route, not globally
Return 429 with JSON { error: 'Too many login attempts, try again later' }
Include Retry-After header
Add test: 6th request from same IP within window returns 429

Generated by CEO Planner (priority: 3)

Add a dedicated rate limiter specifically on POST /api/auth/login that allows max 5 attempts per IP per 15-minute window. Implementation: - Use express-rate-limit (or same library as PR #767) - Create a separate limiter instance: { windowMs: 15*60*1000, max: 5 } - Apply it ONLY to the login route, not globally - Return 429 with JSON `{ error: 'Too many login attempts, try again later' }` - Include Retry-After header - Add test: 6th request from same IP within window returns 429 Login endpoints are the #1 brute-force target. The rate limiter in PR #767 covers /api/generate but auth is unguarded. --- *Generated by CEO Planner (priority: 3)*

pook added the

agent-task

label

2026-04-12 08:33:46 -04:00

No labels

agent-task

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

pook/compliancebot#1009

No description provided.

Rows
Columns