Description
Currently, authentication endpoints such as login, signup, password reset, and security answer verification do not have any rate limiting applied.
This exposes the application to potential abuse including:
- Brute-force login attempts
- Credential stuffing attacks
- Security question abuse
- Password reset token spamming
To improve security and protect user accounts, rate limiting should be implemented on all authentication-related routes.
Proposed Solution
- Integrate a rate-limiting middleware (e.g., express-rate-limit)
- Apply stricter limits on:
/api/auth/login/api/auth/signup/api/auth/verify-security-answers/api/auth/reset-password
- Configure:
- Request limit per IP
- Time window (e.g., 5–10 minutes)
- Return proper HTTP 429 response when limit exceeded
- Optionally log repeated abuse attempts
Acceptance Criteria
Description
Currently, authentication endpoints such as login, signup, password reset, and security answer verification do not have any rate limiting applied.
This exposes the application to potential abuse including:
To improve security and protect user accounts, rate limiting should be implemented on all authentication-related routes.
Proposed Solution
/api/auth/login/api/auth/signup/api/auth/verify-security-answers/api/auth/reset-passwordAcceptance Criteria