All Docs
FeaturesCalmony Sanctions MonitorUpdated March 11, 2026

Security Fix: Rate Limiting on Authentication Endpoints (SEC-08)

Security Fix: Rate Limiting on Authentication Endpoints (SEC-08)

Release: v0.1.51
OWASP Control: SEC-08 — Insecure Design
Affected file: src/middleware.ts

Background

The platform authenticates users exclusively via OAuth. While this eliminates traditional username/password brute-force attacks, it does not automatically protect against:

  • OAuth token harvesting — an attacker repeatedly initiating OAuth flows to probe or collect tokens.
  • Provider rate limit abuse — flooding the authentication path to exhaust quotas on an upstream OAuth provider (e.g. Google, Microsoft Entra).

Prior to v0.1.51, the authentication routes (/api/auth/[...nextauth], /sign-in, /sign-up) were declared as public routes in src/middleware.ts and received no rate limiting. The RATE_LIMITS.auth tier existed in src/lib/rate-limit.ts but was not connected to any handler.

What Was Fixed

In src/middleware.ts, IP-based rate limiting using the RATE_LIMITS.auth tier is now applied to the /api/auth path prefix before the request reaches NextAuth. This means:

  1. Every request to an authentication route is evaluated against the RATE_LIMITS.auth budget for the originating IP.
  2. Requests that exceed the allowed rate receive a 429 Too Many Requests response immediately, without hitting NextAuth or the OAuth provider.
  3. Legitimate users are unaffected — the RATE_LIMITS.auth thresholds are calibrated for normal interactive sign-in patterns.

Affected Routes

RouteRate Limited
/api/auth/[...nextauth]✅ Yes (via middleware)
/sign-in✅ Yes (via middleware)
/sign-up✅ Yes (via middleware)

Implementation Detail

The fix wires the pre-existing RATE_LIMITS.auth configuration into src/middleware.ts using the platform's withRateLimit utility. No changes were required to src/lib/rate-limit.ts — the rate limit tier was already correctly defined.

// Conceptual flow in middleware.ts (simplified)
if (pathname.startsWith('/api/auth')) {
  // Apply RATE_LIMITS.auth tier before forwarding to NextAuth
  return withRateLimit(RATE_LIMITS.auth, request);
}

Compliance

This change satisfies OWASP SEC-08 (Insecure Design) by ensuring that all authentication entry points are protected against automated abuse through enforced request rate limits.