Skip to content

feat: add rate limiting to authentication routes#59

Open
jikrana1 wants to merge 1 commit into
niharika-mente:mainfrom
jikrana1:feat/auth-rate-limiting
Open

feat: add rate limiting to authentication routes#59
jikrana1 wants to merge 1 commit into
niharika-mente:mainfrom
jikrana1:feat/auth-rate-limiting

Conversation

@jikrana1

@jikrana1 jikrana1 commented Jun 16, 2026

Copy link
Copy Markdown

Description

Added rate limiting middleware to authentication routes (/register, /login, /logout) to protect against brute force attacks and fake account creation.

Changes Made

  • Installed express-rate-limit package
  • Created authLimiter (5 requests/15 min) and applied to /register, /login, /logout routes
  • Returns a clear JSON error message when limit is exceeded
  • /me route skipped as it is already protected by authenticateUser middleware

Related Issue

Closes #58

Summary by CodeRabbit

  • New Features
    • Implemented rate limiting on authentication endpoints (register, login, logout) to restrict requests to a maximum of 5 per 15-minute window, with informative error messages indicating retry timing.

@coderabbitai

coderabbitai Bot commented Jun 16, 2026

Copy link
Copy Markdown

Review Change Stack

📝 Walkthrough

Walkthrough

Adds express-rate-limit as a dependency, introduces a new authLimiter middleware (5 requests per 15-minute window with standard headers), and applies it to the /register, /login, and /logout POST routes in authRoutes.js. The /me GET endpoint is unchanged.

Changes

Auth Route Rate Limiting

Layer / File(s) Summary
Dependency, middleware, and route wiring
backend/package.json, backend/src/middleware/authRateLimiter.js, backend/src/routes/authRoutes.js
Adds express-rate-limit to dependencies, exports authLimiter configured for 5 requests per 15-minute window with standard RateLimit headers and legacy headers disabled, and wires it as middleware on the /register, /login, and /logout POST handlers.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Poem

🐇 Hippity hop, the limiter's set,
Five tries in fifteen, don't you forget!
Brute force attacks? The door is shut,
No spammy logins, not an "if" or "but".
The warren is safe, the auth routes cheer —
CodeRabbit approved, no intruders here! 🎉

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title accurately and concisely summarizes the main change: adding rate limiting to authentication routes.
Linked Issues check ✅ Passed All requirements from issue #58 are met: express-rate-limit installed, authLimiter created with 5 requests/15-minute window, applied to /register, /login, /logout routes, and /me route correctly excluded.
Out of Scope Changes check ✅ Passed All changes are directly related to implementing rate limiting for authentication routes as specified in issue #58; no out-of-scope modifications detected.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@backend/src/middleware/authRateLimiter.js`:
- Line 1: The authRateLimiter.js file uses the rateLimit function to create the
authLimiter export but does not import it, causing a ReferenceError when the
module loads. Add an import statement at the top of the file to import rateLimit
from the express-rate-limit package before the authLimiter export definition.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 7e40729f-f102-44c3-acb1-ead2975ba1fd

📥 Commits

Reviewing files that changed from the base of the PR and between b13fd53 and a042f0c.

⛔ Files ignored due to path filters (1)
  • backend/package-lock.json is excluded by !**/package-lock.json
📒 Files selected for processing (3)
  • backend/package.json
  • backend/src/middleware/authRateLimiter.js
  • backend/src/routes/authRoutes.js

@@ -0,0 +1,10 @@
export const authLimiter = rateLimit({

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify unresolved usage of `rateLimit` and whether import exists.
rg -n -C2 '\brateLimit\s*\(' backend/src/middleware/authRateLimiter.js
rg -n -C2 'from\s+"express-rate-limit"|from\s+'\''express-rate-limit'\''' backend/src/middleware/authRateLimiter.js

Repository: niharika-mente/ThinkBoard

Length of output: 166


🏁 Script executed:

#!/bin/bash
# Get full file content to check for any imports
cat -n backend/src/middleware/authRateLimiter.js

Repository: niharika-mente/ThinkBoard

Length of output: 390


🏁 Script executed:

#!/bin/bash
# Check if express-rate-limit is in package.json dependencies
rg '"express-rate-limit"' package.json -A2 -B2

Repository: niharika-mente/ThinkBoard

Length of output: 51


🏁 Script executed:

#!/bin/bash
# Check package.json structure
head -50 package.json | cat -n

Repository: niharika-mente/ThinkBoard

Length of output: 489


🏁 Script executed:

#!/bin/bash
# Search more broadly for rate-limit mentions
rg 'rate.limit|rateLimit' package.json -i

Repository: niharika-mente/ThinkBoard

Length of output: 51


🏁 Script executed:

#!/bin/bash
# Check how authRateLimiter is imported in routes to understand context
rg -l 'authRateLimiter\|authLimiter' backend/src --type js

Repository: niharika-mente/ThinkBoard

Length of output: 51


🏁 Script executed:

#!/bin/bash
# Check backend package.json
cat -n backend/package.json | head -50

Repository: niharika-mente/ThinkBoard

Length of output: 968


🏁 Script executed:

#!/bin/bash
# Search for express-rate-limit throughout backend
rg 'express-rate-limit' backend/

Repository: niharika-mente/ThinkBoard

Length of output: 473


🏁 Script executed:

#!/bin/bash
# Check how rateLimit is imported elsewhere in the codebase
rg 'import.*rateLimit' backend/src -A2 -B2

Repository: niharika-mente/ThinkBoard

Length of output: 309


🏁 Script executed:

#!/bin/bash
# Check what's in the rateLimiter.js middleware file
cat -n backend/src/middleware/rateLimiter.js

Repository: niharika-mente/ThinkBoard

Length of output: 797


🏁 Script executed:

#!/bin/bash
# Check if authLimiter is imported/used anywhere
rg 'authLimiter|authRateLimiter' backend/src

Repository: niharika-mente/ThinkBoard

Length of output: 493


Missing rateLimit import causes module load failure.

The file exports authLimiter using rateLimit() but never imports it. When authRoutes.js imports this middleware for the register, login, and logout endpoints, the module will fail to load with a ReferenceError, breaking auth route initialization.

Add the import statement:

Suggested fix
+import { rateLimit } from "express-rate-limit";
+
 export const authLimiter = rateLimit({
   windowMs: 15 * 60 * 1000, // 15 minutes
   max: 5,
   message: {
     success: false,
     message: "Too many requests, please try again after 15 minutes.",
   },
   standardHeaders: true,
   legacyHeaders: false,
 });
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
export const authLimiter = rateLimit({
import { rateLimit } from "express-rate-limit";
export const authLimiter = rateLimit({
windowMs: 15 * 60 * 1000, // 15 minutes
max: 5,
message: {
success: false,
message: "Too many requests, please try again after 15 minutes.",
},
standardHeaders: true,
legacyHeaders: false,
});
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@backend/src/middleware/authRateLimiter.js` at line 1, The authRateLimiter.js
file uses the rateLimit function to create the authLimiter export but does not
import it, causing a ReferenceError when the module loads. Add an import
statement at the top of the file to import rateLimit from the express-rate-limit
package before the authLimiter export definition.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

[Feature] : Add Rate Limiting to Authentication Routes in authRouter

1 participant