📌 Summary
The public-api login endpoint has no per-user failed attempt tracking. Implement Redis-backed per-email lockout: after 5 consecutive failures, lock the account for 15 minutes.
🧠 What's There vs What's Missing
Already implemented:
- Project-wide rate limiter:
apps/public-api/src/middlewares/api_usage.js.
- Redis is available and used throughout the codebase.
Missing (what contributor must build):
- No
failedAttempts counter in Redis per (projectId, email).
- No lockout check before
bcrypt.compare in login.
- No counter increment on failure / reset on success.
📁 Key Files
| File |
What to change |
apps/public-api/src/controllers/userAuth.controller.js |
login: add lockout check before password compare; increment on failure; reset on success |
packages/common/src/utils/loginLockout.js |
[NEW] Utility for checkLockout, recordFailedAttempt, clearLockout |
Getting Started
- Pick an issue and comment on it to claim it.
- Fork the repo, create a branch:
feat/nsoc-<issue-slug>
- Read
CONTRIBUTING.md and AGENTS.md before writing any code.
- Run tests before submitting: see
AGENTS.md → Commands.
- Open a PR with the issue number in the title.
Questions? Join the issue thread or ping maintainers on the NSoC Discord.
📌 Summary
The public-api
loginendpoint has no per-user failed attempt tracking. Implement Redis-backed per-email lockout: after 5 consecutive failures, lock the account for 15 minutes.🧠 What's There vs What's Missing
Already implemented:
apps/public-api/src/middlewares/api_usage.js.Missing (what contributor must build):
failedAttemptscounter in Redis per(projectId, email).bcrypt.compareinlogin.📁 Key Files
apps/public-api/src/controllers/userAuth.controller.jslogin: add lockout check before password compare; increment on failure; reset on successpackages/common/src/utils/loginLockout.jscheckLockout,recordFailedAttempt,clearLockoutGetting Started
feat/nsoc-<issue-slug>CONTRIBUTING.mdandAGENTS.mdbefore writing any code.AGENTS.md → Commands.