Skip to content

feat: Add login rate limiter middleware for brute-force protection#24

Open
Suyash-ka-github wants to merge 4 commits into
browseping:mainfrom
Suyash-ka-github:feat/login-rate-limiter
Open

feat: Add login rate limiter middleware for brute-force protection#24
Suyash-ka-github wants to merge 4 commits into
browseping:mainfrom
Suyash-ka-github:feat/login-rate-limiter

Conversation

@Suyash-ka-github

@Suyash-ka-github Suyash-ka-github commented Jun 19, 2026

Copy link
Copy Markdown

Summary

  • Adds Redis-backed rate limiter on login (5 attempts / 60s window, 10min cooldown)
  • Normalizes emails to lowercase at signup, OTP, forgot-password, and login
  • Closes rate-limiter bypass when password field is omitted
  • Uses atomic Lua increment+expire, generic error responses, and hashed log identifiers

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds Redis-backed brute-force protection to the /login endpoint by introducing a login rate-limiter middleware and wiring it into the user login flow.

Changes:

  • Added loginRateLimiter middleware to block login requests after too many failed attempts per IP.
  • Added controller hooks to increment failed-attempt counters and clear them on successful login.
  • Introduced a new middleware module to manage Redis-backed attempt tracking.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 4 comments.

File Description
src/routes/userRoutes.ts Adds loginRateLimiter to the /login route middleware chain.
src/middleware/rateLimiter.ts Implements Redis-backed rate limiting with per-IP tracking and lockout behavior.
src/controllers/userController.ts Increments failed-attempt counters on login failure paths and clears them on success.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread src/middleware/rateLimiter.ts Outdated
Comment thread src/middleware/rateLimiter.ts Outdated
Comment thread src/middleware/rateLimiter.ts Outdated
Comment thread src/middleware/rateLimiter.ts Outdated
@Suyash-ka-github Suyash-ka-github force-pushed the feat/login-rate-limiter branch from e0584ea to e9aa389 Compare June 20, 2026 08:00
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants