Problem
The /api/auth/login and /api/auth/logout endpoints have no rate limiting, making them vulnerable to brute-force credential attacks. This is acknowledged as a known gap in the codebase.
Proposed Solution
Implement IP-based rate limiting for auth endpoints:
- In-memory rate limiter — Use a sliding window counter per IP address
- Configuration — Configurable max attempts (default: 5) and window duration (default: 15 minutes)
- Response — Return
429 Too Many Requests with Retry-After header when limit exceeded
- Logging — Log rate limit events for security auditing
Acceptance Criteria
Notes
- For a local-first app, an in-memory store (Map with TTL cleanup) is sufficient — no need for Redis
- Consider using a lightweight library like
rate-limiter-flexible if it simplifies implementation
🤖 Generated with Claude Code
Problem
The
/api/auth/loginand/api/auth/logoutendpoints have no rate limiting, making them vulnerable to brute-force credential attacks. This is acknowledged as a known gap in the codebase.Proposed Solution
Implement IP-based rate limiting for auth endpoints:
429 Too Many RequestswithRetry-Afterheader when limit exceededAcceptance Criteria
/api/auth/loginis rate limited (default: 5 attempts per 15-minute window per IP)429response withRetry-AfterheaderNotes
rate-limiter-flexibleif it simplifies implementation🤖 Generated with Claude Code