Description
A CRITICAL security vulnerability exists in backend/routes/auth.js at lines 9 and 34. There is no rate limiting, account lockout, or any throttling mechanism on the login or signup endpoints, allowing unlimited automated credential-stuffing and brute-force attacks.
Impact
An attacker can automate millions of password attempts against any known email address with no server-side resistance. Using a common wordlist (e.g., rockyou.txt), a weak password can be cracked in minutes. The signup endpoint is similarly unprotected, enabling bot-driven mass account registration that can exhaust database capacity.
Steps to Reproduce
- Send
POST /api/auth/login with { "email": "victim@example.com", "password": "wrong" } in a loop 100 times.
- Observe all 100 requests return
401 — none are blocked or slowed.
- Replace
"wrong" with a password from a dictionary list and observe successful login on a weak account.
Expected Behaviour
After 10 failed attempts from the same IP within 15 minutes, the server should return 429 Too Many Requests with a Retry-After header.
Proposed Fix
Install express-rate-limit and apply a limiter of 10 requests per 15-minute window per IP to /api/auth/login and /api/auth/signup, configured with skipSuccessfulRequests: true.
// backend/server.js
const rateLimit = require('express-rate-limit');
const authLimiter = rateLimit({
windowMs: 15 * 60 * 1000,
max: 10,
standardHeaders: true,
legacyHeaders: false,
message: { message: 'Too many attempts, please try again after 15 minutes.' },
skipSuccessfulRequests: true,
});
app.use('/api/auth/login', authLimiter);
app.use('/api/auth/signup', authLimiter);Files affected: backend/routes/auth.js, backend/server.js, backend/package.json
Labels
type:security level:intermediate gssoc:approved
Please assign this issue to me under GSSoC 2026. I will open a PR with a complete fix covering all affected files, proper test coverage, and verification steps.
Description
A CRITICAL security vulnerability exists in
backend/routes/auth.jsat lines 9 and 34. There is no rate limiting, account lockout, or any throttling mechanism on the login or signup endpoints, allowing unlimited automated credential-stuffing and brute-force attacks.Impact
An attacker can automate millions of password attempts against any known email address with no server-side resistance. Using a common wordlist (e.g., rockyou.txt), a weak password can be cracked in minutes. The signup endpoint is similarly unprotected, enabling bot-driven mass account registration that can exhaust database capacity.
Steps to Reproduce
POST /api/auth/loginwith{ "email": "victim@example.com", "password": "wrong" }in a loop 100 times.401— none are blocked or slowed."wrong"with a password from a dictionary list and observe successful login on a weak account.Expected Behaviour
After 10 failed attempts from the same IP within 15 minutes, the server should return
429 Too Many Requestswith aRetry-Afterheader.Proposed Fix
Install
express-rate-limitand apply a limiter of 10 requests per 15-minute window per IP to/api/auth/loginand/api/auth/signup, configured withskipSuccessfulRequests: true.Files affected:
backend/routes/auth.js,backend/server.js,backend/package.jsonLabels
type:securitylevel:intermediategssoc:approvedPlease assign this issue to me under GSSoC 2026. I will open a PR with a complete fix covering all affected files, proper test coverage, and verification steps.