makiolaj/GearBox
1
0
Fork 0
Code Issues 8 Pull Requests Actions Packages Projects Releases 10 Wiki Activity

feat: add rate limiting on login and setup endpoints

Browse Source 
Implement in-memory rate limiter with 5 attempts per 15-minute window per IP address. Protects brute-force attacks on credential endpoints.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
Jean-Luc Makiola
2026-04-03 15:36:03 +02:00
parent 41a2910aeb
commit 2dddba9a08
2 changed files with 51 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
src/server/routes/auth.ts
View File

@@ -6,6 +6,7 @@ import { z } from "zod";
import { users } from "../../db/schema.ts";
import { parseId } from "../lib/params.ts";
import { requireAuth } from "../middleware/auth.ts";
import { rateLimit } from "../middleware/rateLimit.ts";
import {
changePassword,
createApiKey,
@@ -60,7 +61,7 @@ app.get("/me", (c) => {
return c.json({ user: null, setupRequired });
});
app.post("/setup", zValidator("json", setupSchema), async (c) => {
app.post("/setup", rateLimit, zValidator("json", setupSchema), async (c) => {
const db = c.get("db");
if (getUserCount(db) > 0) {
@@ -81,7 +82,7 @@ app.post("/setup", zValidator("json", setupSchema), async (c) => {
return c.json({ username: user.username }, 201);
});
app.post("/login", zValidator("json", loginSchema), async (c) => {
app.post("/login", rateLimit, zValidator("json", loginSchema), async (c) => {
const db = c.get("db");
const { username, password } = c.req.valid("json");