Follow-up slice of #227.
Apply the established API rate-limit policy to the authentication router, which is outside the existing /api limiter.
Scope:
- protect authentication code exchange and logout routes consistently;
- add a focused regression test for requests exceeding the configured IP window;
- retain the current response contract and CSRF protection;
- do not add, inspect, store, or search email data.
Acceptance criteria:
- repeated authentication-route requests receive the standard 429 response;
- normal sign-in and logout behavior still works within the limit;
- server tests and CodeQL pass.
Production rollout validation remains part of #176.
Follow-up slice of #227.
Apply the established API rate-limit policy to the authentication router, which is outside the existing /api limiter.
Scope:
Acceptance criteria:
Production rollout validation remains part of #176.