Securing Authentication: Rate Limiting on Auth Endpoints (SEC-14)
Securing Authentication: Rate Limiting on Auth Endpoints (SEC-14)
Version: v0.1.137
Security Control: SEC-14
Category: Infrastructure / Security
The Problem
Authentication endpoints are a primary target for automated attacks. Credential stuffing, brute-force login attempts, and account enumeration all rely on the ability to send a high volume of requests to sign-in or sign-up routes without being blocked.
Prior to this release, the platform's authentication routes were listed as public paths and had no rate limiting enforced:
/api/auth/[...nextauth]/sign-in/sign-up
The rate limiting infrastructure was already in place — RATE_LIMITS.auth was defined in src/lib/rate-limit.ts — but it was not connected to the middleware handling these routes. As a result, an attacker could make an unlimited number of authentication attempts from a single IP address.
The Fix
With v0.1.137, the middleware (middleware.ts) now applies IP-based rate limiting to all /api/auth/* paths using the pre-configured RATE_LIMITS.auth policy.
Rate Limit Policy
| Parameter | Value |
|---|---|
| Scope | Per IP address |
| Limit | 10 requests |
| Window | 60 seconds |
| Endpoint pattern | /api/auth/* |
Response When Limit is Exceeded
When an IP address exceeds the threshold, the middleware returns:
HTTP/1.1 429 Too Many Requests
Retry-After: <seconds until window resets>
Content-Type: application/json
{
"error": "Too many requests. Please try again later."
}
The response is generated by the shared rateLimitExceededResponse() helper, ensuring consistent error formatting across all rate-limited endpoints in the platform.
Impact on Users
Legitimate users performing normal authentication flows — signing in, signing up, or using NextAuth provider callbacks — are unaffected. Reaching 10 authentication requests within a 60-second window is well above the threshold for any normal usage pattern.
Automated attack tooling that submits rapid-fire credential attempts from a single IP will be blocked and must wait for the rate limit window to reset before retrying.
Implementation Details
src/middleware.ts— The route matcher for/api/auth/*now passes requests through the rate limiter before they reach the NextAuth handler. The client's IP address is extracted from the incoming request and used as the rate limit key.src/lib/rate-limit.ts— Unchanged. TheRATE_LIMITS.authconfiguration defined here (10 req / 60 s) is the single source of truth for authentication rate limit thresholds.
Related Security Controls
This change addresses SEC-14 in the platform's security control register. If you are reviewing the platform's compliance posture, this control maps to protections against:
- Brute-force authentication attacks
- Credential stuffing
- Account enumeration via repeated sign-in probing