From 3994988e64ddca9a932e245c3dccbe7da26d95a1 Mon Sep 17 00:00:00 2001
From: Vexx <advikdivekar@gmail.com>
Date: Fri, 22 May 2026 01:06:35 +0530
Subject: [PATCH] Add rate limiting on login and signup to prevent brute-force
 attacks

/api/auth/login and /api/auth/signup had no request throttling,
allowing unlimited automated password guessing with no server-side
resistance.

Add express-rate-limit with a 10-request per 15-minute per-IP window
on both endpoints. skipSuccessfulRequests:true ensures only failed
attempts count against the quota, so legitimate users who succeed
on the first try are not penalised.

The limiter is mounted after passport.session() but before the route
handlers so it cannot be bypassed by any route-level code.

Add express-rate-limit ^7.5.1 to package.json dependencies.

Closes #372
---
 backend/package.json |  1 +
 backend/server.js    | 14 ++++++++++++++
 2 files changed, 15 insertions(+)

diff --git a/backend/package.json b/backend/package.json
index 38e15b8b..3922e0eb 100644
--- a/backend/package.json
+++ b/backend/package.json
@@ -18,6 +18,7 @@
     "cors": "^2.8.5",
     "dotenv": "^16.4.5",
     "express": "^4.21.1",
+    "express-rate-limit": "^7.5.1",
     "express-session": "^1.18.1",
     "mongoose": "^8.8.2",
     "passport": "^0.7.0",
diff --git a/backend/server.js b/backend/server.js
index 3f19f00b..a72a9ff1 100644
--- a/backend/server.js
+++ b/backend/server.js
@@ -3,6 +3,7 @@ const mongoose = require('mongoose');
 const session = require('express-session');
 const passport = require('passport');
 const bodyParser = require('body-parser');
+const rateLimit = require('express-rate-limit');
 require('dotenv').config();
 const cors = require('cors');
 
@@ -24,6 +25,19 @@ app.use(session({
 app.use(passport.initialize());
 app.use(passport.session());
 
+// Rate limiting — 10 attempts per 15-minute window per IP on auth endpoints
+const authLimiter = rateLimit({
+    windowMs: 15 * 60 * 1000,
+    max: 10,
+    standardHeaders: true,
+    legacyHeaders: false,
+    message: { message: 'Too many attempts, please try again after 15 minutes.' },
+    skipSuccessfulRequests: true,
+});
+
+app.use('/api/auth/login', authLimiter);
+app.use('/api/auth/signup', authLimiter);
+
 // Routes
 const authRoutes = require('./routes/auth');
 app.use('/api/auth', authRoutes);