Skip to content

No rate limiting on /api/auth/login enables credential-stuffing / brute force #18

Description

@abayomicornelius

src/routes/auth.rs::login has no per-IP or per-account rate limiting or lockout mechanism — an attacker can attempt unlimited password guesses against any email address.

The Cargo.toml/README mention "rate limiting" only in the context of Stellar rate quotes, not auth throttling, and there's no tower_governor-style layer applied anywhere in main.rs. Add IP-based (and/or account-based) rate limiting middleware on /api/auth/login and /api/auth/register to mitigate brute-force and mass-registration abuse.

Metadata

Metadata

Assignees

No one assigned

    Labels

    backendBackend service logicsecuritySecurity concern

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions