src/routes/auth.rs::login has no per-IP or per-account rate limiting or lockout mechanism — an attacker can attempt unlimited password guesses against any email address.
The Cargo.toml/README mention "rate limiting" only in the context of Stellar rate quotes, not auth throttling, and there's no tower_governor-style layer applied anywhere in main.rs. Add IP-based (and/or account-based) rate limiting middleware on /api/auth/login and /api/auth/register to mitigate brute-force and mass-registration abuse.
src/routes/auth.rs::loginhas no per-IP or per-account rate limiting or lockout mechanism — an attacker can attempt unlimited password guesses against any email address.The
Cargo.toml/README mention "rate limiting" only in the context of Stellar rate quotes, not auth throttling, and there's notower_governor-style layer applied anywhere inmain.rs. Add IP-based (and/or account-based) rate limiting middleware on/api/auth/loginand/api/auth/registerto mitigate brute-force and mass-registration abuse.