fix(auth): apply rate limiting to authentication routes#3407
Conversation
|
Someone is attempting to deploy a commit to the ritesh Team on Vercel. A member of the Team first needs to authorize it. |
|
Important Review skippedAuto reviews are disabled on base/target branches other than the default branch. Please check the settings in the CodeRabbit UI or the ⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Run ID: You can disable this status message by setting the Use the checkbox below for a quick retry:
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Summary
This PR introduces necessary rate-limiting controls to the application's authentication endpoints (
/auth/loginand/auth/signup) using the existingslowapi.Limiterconfiguration.Root Cause
The
slowapirate limiter was already set up and protecting AI inference routes, but critical authentication routes were lacking the@limiter.limitdecorators. This left them vulnerable to automated brute-force attacks and credential stuffing, as there was no restriction on the number of attempts a single client could make.Solution
@limiter.limit("5/minute")to thePOST /auth/loginendpoint.@limiter.limit("3/minute")to thePOST /auth/signupendpoint.request: Requestobject into the endpoint signatures, which is required byslowapito determine the remote client IP.Files Changed
backend/main.pyauth_loginto include request object and limit.auth_signupto include request object and limit.Testing
Requestobject seamlessly).Impact
requestobject injection is handled automatically by FastAPI and does not change the external API contract.Checklist