Skip to content

feat: implement rate limiting on sensitive auth endpoints#145

Merged
LaGodxy merged 3 commits into
MettaChain:mainfrom
Jayking40:main
Mar 24, 2026
Merged

feat: implement rate limiting on sensitive auth endpoints#145
LaGodxy merged 3 commits into
MettaChain:mainfrom
Jayking40:main

Conversation

@Jayking40

Copy link
Copy Markdown
Contributor

Add Rate Limiting on Sensitive Authentication Endpoints

Summary

This PR implements comprehensive rate limiting for sensitive authentication endpoints to prevent brute-force attacks and abuse. The implementation addresses critical security gaps in password reset, token refresh, and MFA endpoints by adding stricter rate limits, IP-based blocking, and progressive delay mechanisms.

Changes

Security Enhancements

  • Created new SensitiveEndpointRateLimitGuard with advanced protection features including progressive delays that increase with repeated violations and automatic IP blocking after exceeding limits
  • Implemented strict rate limiting on password reset endpoints with 3 requests per 15 minutes for password reset requests and 5 requests per 15 minutes for password reset confirmations, both with automatic IP blocking
  • Added rate limiting to MFA endpoints including 5 attempts per 5 minutes for MFA verification, 10 attempts per 5 minutes for backup code verification, and 3 requests per hour for sensitive operations like backup code generation
  • Integrated IP-based blocking that automatically blocks malicious IPs for configurable durations (30 minutes to 1 hour) with support for IP whitelisting
  • Implemented progressive delay mechanism that increases delay time with each violation (up to 10 seconds) to slow down automated attacks

Technical Implementation

  • Rate limiting uses sliding window algorithm with Redis for distributed tracking across multiple application instances
  • Smart key generation tracks limits by user ID (authenticated), email (password reset), or IP address (fallback)
  • Comprehensive rate limit headers included in all responses (X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Reset, Retry-After)
  • Fail-open design ensures service availability even if Redis is temporarily unavailable
  • Proper IP extraction from x-forwarded-for headers for correct tracking behind proxies and load balancers

Code Quality

  • Added comprehensive unit tests covering rate limit enforcement, IP blocking integration, progressive delays, and fail-open behavior
  • Created integration tests verifying end-to-end functionality for all protected endpoints
  • Included detailed documentation explaining configuration options, usage patterns, and security considerations
  • Maintained backward compatibility with no breaking changes to existing API contracts

Testing

All new functionality is covered by:

  • Unit tests for the SensitiveEndpointRateLimitGuard (15+ test cases)
  • Integration tests for password reset, MFA, and token refresh endpoints
  • Tests verify rate limit enforcement, IP blocking, progressive delays, and header accuracy

The implementation has been designed with production reliability in mind, including fail-open behavior and comprehensive error logging.

Configuration

Rate limits can be customized per endpoint using the @SensitiveRateLimit decorator with options for window duration, max requests, progressive delays, and IP blocking behavior. See the documentation in docs/RATE_LIMITING_IMPLEMENTATION.md for complete configuration details.

Security Impact

This implementation significantly improves the security posture of the application by:

  • Preventing brute-force attacks on password reset flows
  • Protecting MFA endpoints from automated token guessing
  • Automatically blocking malicious IPs
  • Slowing down attackers with progressive delays
  • Providing visibility through comprehensive logging

Closes #92

@drips-wave

drips-wave Bot commented Mar 23, 2026

Copy link
Copy Markdown

@Jayking40 Great news! 🎉 Based on an automated assessment of this PR, the linked Wave issue(s) no longer count against your application limits.

You can now already apply to more issues while waiting for a review of this PR. Keep up the great work! 🚀

Learn more about application limits

@LaGodxy LaGodxy merged commit 8781643 into MettaChain:main Mar 24, 2026
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Missing Rate Limiting on Sensitive Endpoints

2 participants