Skip to content

fix(auth): add rate limiting to authentication endpoints to prevent brute force attacks #20

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
joshua-sajeev merged 6 commits into from
Nov 23, 2025
Merged

fix(auth): add rate limiting to authentication endpoints to prevent brute force attacks #20

joshua-sajeev merged 6 commits into from
Nov 23, 2025

Conversation

@danialahmad-ucl
Copy link
Contributor

@danialahmad-ucl danialahmad-ucl commented Nov 22, 2025

Description

Implements IP-based rate limiting on authentication endpoints (/api/auth/login and /api/auth/register) to protect against brute force attacks.

Fixes #13

Changes Made

  • ✅ Created rate limiter middleware using token bucket algorithm
  • ✅ Applied rate limiting to /api/auth/login and /api/auth/register
  • ✅ Added comprehensive unit tests for rate limiter
  • ✅ Updated Swagger documentation with HTTP 429 responses
  • ✅ Added golang.org/x/time dependency for rate limiting

Configuration

  • Rate Limit: 5 requests per second
  • Burst Size: 10 requests
  • Scope: Per IP address
  • Response: HTTP 429 with error message when limit exceeded

Implementation Details

  • Uses token bucket algorithm for smooth rate limiting
  • Thread-safe implementation with mutex protection
  • Automatic cleanup routine runs hourly to prevent memory leaks
  • Rate limiter isolated per IP address

Testing

Run the rate limiter tests:
go test ./internal/middleware/ratelimiter/Test manually with rapid requests:
for i in {1..15}; do curl -X POST http://localhost:8080/api/auth/login
-H "Content-Type: application/json"
-d '{"email":"[email protected]","password":"password123"}'
-w "\nStatus: %{http_code}\n"; doneExpected: First 10 requests succeed, remaining get HTTP 429

Security Impact

  • ✅ Prevents brute force password attacks
  • ✅ Protects against credential stuffing
  • ✅ Mitigates account enumeration attempts
  • ✅ Reduces server load from automated attacks

Breaking Changes

None - This is a backward-compatible security enhancement.

@iamdanialahmad
feat(middleware): add IP-based rate limiter implementation
392c0a6 
- Implement token bucket algorithm for rate limiting
- Support per-IP rate limiting with configurable limits
- Include automatic cleanup routine to prevent memory leaks
- Return HTTP 429 when rate limit exceeded
@iamdanialahmad
test(middleware): add comprehensive tests for rate limiter
b9c8b57 
- Test rate limiting functionality
- Test per-IP isolation
- Test burst capacity handling
- Test cleanup routine
- Test middleware integration with Gin
@iamdanialahmad
build: add golang.org/x/time dependency for rate limiting
5e15814
@iamdanialahmad
fix(auth): apply rate limiting to authentication endpoints
54f6b61 
- Protect /api/auth/login and /api/auth/register endpoints
- Configure 5 requests per second with burst of 10
- Start cleanup routine every hour
- Resolves joshua-sajeev#13
@iamdanialahmad
docs(handler): update swagger docs with rate limit responses
e99724c 
- Add HTTP 429 response documentation for login endpoint
- Add HTTP 429 response documentation for register endpoint
@danialahmad-ucl
Copy link
Contributor Author

danialahmad-ucl commented Nov 22, 2025
edited
Loading

@joshua-sajeev have create PR for fix of the issue. Please let me know if further changes are required

@joshua-sajeev joshua-sajeev merged commit 10510cd into joshua-sajeev:main Nov 23, 2025
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Missing Rate Limiting on Authentication Endpoints

3 participants

@danialahmad-ucl @joshua-sajeev @iamdanialahmad