Skip to content

sec: Add rate limiting to token endpoint #210

New issue
New issue
Open
Open
sec: Add rate limiting to token endpoint#210
Labels
enhancement種別: 機能の改善priority: medium重要度: 中security種別: セキュリティ関連
@Nlkomaru

Description

@Nlkomaru
Nlkomaru
opened on Jan 6, 2026

Summary

The token endpoint currently has no rate limiting, making it vulnerable to brute force attacks.

Problem

  • No protection against credential stuffing
  • No protection against token endpoint abuse
  • Could lead to DoS through resource exhaustion

Solution

  • Implement rate limiting per client_id
  • Implement rate limiting per IP address
  • Consider using Ktor rate limiting plugin or custom implementation

Related Files

  • core/src/main/kotlin/party/morino/mineauth/core/web/router/auth/oauth/TokenRouter.kt
  • core/src/main/kotlin/party/morino/mineauth/core/web/router/auth/oauth/OAuthRouter.kt

Considerations

  • Balance between security and legitimate use
  • Consider exponential backoff for repeated failures

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancement種別: 機能の改善priority: medium重要度: 中security種別: セキュリティ関連

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions