feat(security): add strict rate limiting and failure logging to auth endpoint #188#293
Merged
Xhristin3 merged 2 commits intoJun 18, 2026
Conversation
Contributor
Author
|
kindly review pr |
bamiebot-maker
force-pushed
the
feature/auth-rate-limiting
branch
14 times, most recently
from
3bd7808 to
7180b83
Compare
bamiebot-maker
force-pushed
the
feature/auth-rate-limiting
branch
from
7180b83 to
b5cc2c0
Compare
Contributor
Author
|
kindly review pr |
Contributor
|
Hey @bamiebot-maker \u2014 strong work. 5/15min on login + register, structured audit logging with IP/UA, and the integration spec proving the 429s hit every acceptance criterion in #188. Closes #188 and merged. Thanks for the security pass! \ud83d\udee1\ufe0f |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
This PR addresses issue #188 by implementing strict rate limiting and structured security audit logging for sensitive authentication endpoints (
POST /auth/loginandPOST /auth/register). These changes mitigate brute-force and credential-stuffing vulnerabilities while preserving the global rate limits for the rest of the application routes.Changes Made
🔒 Rate Limiting (
api/src/auth/auth.controller.ts)@Throttle({ default: { limit: 5, ttl: 900000 } })to authentication endpoints.@Req() req: Requestcontext into controllers to capture necessary metadata.🔌 Dependency Wiring (
api/src/auth/auth.module.ts)AuditServicewithin the authentication scope to allow access during the validation steps.📝 Structured Failure Logging (
api/src/auth/auth.service.ts)IP AddressandUser-Agent) from the incoming request.🧪 Test Suite Enhancements
auth.service.spec.ts): Updated existing mocks to support the new request context argument without breaking existing tests.auth-rate-limit.integration.spec.ts): Created a dedicated test script to simulate rapid traffic and verify that a429 Too Many Requestsstatus code is correctly triggered on the 6th consecutive attempt.Acceptance Criteria Verified
100 req / 60swindow.IPandUser-Agenttelemetry.Retry-Afterheader is correctly present on rate-limited responses.closes #188