Skip to content

Rate-limit authentication endpoints #239

Description

@coder13

Follow-up slice of #227.

Apply the established API rate-limit policy to the authentication router, which is outside the existing /api limiter.

Scope:

  • protect authentication code exchange and logout routes consistently;
  • add a focused regression test for requests exceeding the configured IP window;
  • retain the current response contract and CSRF protection;
  • do not add, inspect, store, or search email data.

Acceptance criteria:

  • repeated authentication-route requests receive the standard 429 response;
  • normal sign-in and logout behavior still works within the limit;
  • server tests and CodeQL pass.

Production rollout validation remains part of #176.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions