Skip to content

feat(auth): add rate limiting to signup, login, and google-login #1450

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
Honey-pg wants to merge 1 commit into
base: main
Choose a base branch
from
Open

feat(auth): add rate limiting to signup, login, and google-login #1450

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
40 changes: 30 additions & 10 deletions backend/routes/authRoutes.js
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
import express from 'express';
import rateLimit from 'express-rate-limit';
import rateLimit, { ipKeyGenerator } from 'express-rate-limit';
import {
signup,
login,
Expand All @@ -16,21 +16,41 @@ import { authMiddleware } from '../middlewares/authMiddleware.js';

const router = express.Router();

// ─── Rate limiter for all 2FA endpoints ───────────────────────────────────────
// Max 5 attempts per 15 minutes β€” prevents brute-force on TOTP codes
const twoFALimiter = rateLimit({
const RATE_LIMIT_MESSAGE = { message: 'Too many attempts, please try again later' };

const baseAuthLimitOptions = {
windowMs: 15 * 60 * 1000, // 15 minutes
max: 5,
standardHeaders: true,
legacyHeaders: false,
message: { message: 'Too many attempts, please try again later' },
message: RATE_LIMIT_MESSAGE,
};

const normalizeEmail = (req) => String(req.body?.email ?? '').trim().toLowerCase();

// Max 10 auth attempts per IP per 15 minutes β€” caps credential stuffing / signup spam
const authByIpLimiter = rateLimit({
...baseAuthLimitOptions,
max: 10,
keyGenerator: (req) => ipKeyGenerator(req.ip),
});

// Max 5 attempts per email per 15 minutes β€” protects individual accounts from brute-force
const authByEmailLimiter = rateLimit({
...baseAuthLimitOptions,
max: 5,
keyGenerator: (req) => normalizeEmail(req) || ipKeyGenerator(req.ip),
});

// Max 5 attempts per 15 minutes β€” prevents brute-force on TOTP codes
const twoFALimiter = rateLimit({
...baseAuthLimitOptions,
max: 5,
});
// ──────────────────────────────────────────────────────────────────────────────

// Public routes
router.post('/signup', signup);
router.post('/login', login);
router.post('/google-login', googleLogin);
router.post('/signup', authByIpLimiter, authByEmailLimiter, signup);
router.post('/login', authByIpLimiter, authByEmailLimiter, login);
router.post('/google-login', authByIpLimiter, googleLogin);

// 2FA login completion (rate limited β€” protects TOTP brute-force)
router.post('/login-2fa', twoFALimiter, loginWith2FA);
Expand Down
2 changes: 2 additions & 0 deletions backend/src/server.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,8 @@ const PORT = process.env.PORT;
// Initialize express
const app = express();

// Required for correct req.ip behind Render / reverse proxies (used by rate limiting)
app.set('trust proxy', 1);

app.use(
cors({
Expand Down