Skip to content

fix(auth): apply rate limiting to authentication routes#3407

Open
Daksh7785 wants to merge 1 commit into
ritesh-1918:gssocfrom
Daksh7785:fix/auth-rate-limiting
Open

fix(auth): apply rate limiting to authentication routes#3407
Daksh7785 wants to merge 1 commit into
ritesh-1918:gssocfrom
Daksh7785:fix/auth-rate-limiting

Conversation

@Daksh7785

Copy link
Copy Markdown

Summary

This PR introduces necessary rate-limiting controls to the application's authentication endpoints (/auth/login and /auth/signup) using the existing slowapi.Limiter configuration.


Root Cause

The slowapi rate limiter was already set up and protecting AI inference routes, but critical authentication routes were lacking the @limiter.limit decorators. This left them vulnerable to automated brute-force attacks and credential stuffing, as there was no restriction on the number of attempts a single client could make.


Solution

  • Added @limiter.limit("5/minute") to the POST /auth/login endpoint.
  • Added @limiter.limit("3/minute") to the POST /auth/signup endpoint.
  • Injected the FastAPI request: Request object into the endpoint signatures, which is required by slowapi to determine the remote client IP.

Files Changed

  • backend/main.py
    • Modified auth_login to include request object and limit.
    • Modified auth_signup to include request object and limit.

Testing

  • Build passed.
  • Python syntax check passed without errors.
  • Manual verification completed (endpoints accept Request object seamlessly).

Impact

  • Breaking changes: No. The request object injection is handled automatically by FastAPI and does not change the external API contract.
  • Performance impact: Negligible. Standard memory-backed sliding window evaluation.
  • Security impact: High Positive. Mitigates brute force, password spraying, and automated account creation.
  • Compatibility: Fully compatible with existing React clients.

Checklist

  • Issue solved
  • Build passes
  • Tests pass
  • Lint passes
  • No unrelated changes
  • Ready for review

@vercel

vercel Bot commented Jul 6, 2026

Copy link
Copy Markdown

Someone is attempting to deploy a commit to the ritesh Team on Vercel.

A member of the Team first needs to authorize it.

@coderabbitai

coderabbitai Bot commented Jul 6, 2026

Copy link
Copy Markdown

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: d19d1b86-01b6-445e-80c4-5d1a4f59e3f9

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

  • 🔍 Trigger review
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant