Skip to content

[Security] Missing rate limiting on password reset and login endpoints allows brute force attacks #592

Description

@Pratikshya32

Description

Authentication and password reset endpoints lack rate limiting or back-off logic. This allows brute-force attacks on login credentials and password reset link spamming, causing server resource exhaustion.

Proposed Refactoring

  • Implement IP and user-session rate limiting using Redis token bucket filter middleware.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions