Security Update: Rate Limiting & Brute-Force Protection on Auth Endpoints
Security Update: Rate Limiting & Brute-Force Protection on Auth Endpoints
Release: v1.0.26 OWASP Control: SEC-08 — Insecure Design
Overview
Calmony Pay v1.0.26 introduces hardening measures against brute-force and enumeration attacks targeting the authentication layer. This release addresses OWASP SEC-08 by enforcing per-IP rate limits, logging failed authentication events, and mitigating invite token enumeration.
Background
While Calmony Pay uses OAuth exclusively as its authentication provider (password login is disabled), the following weaknesses existed prior to this release:
- The OAuth initiation flow at
/api/auth/*accepted unlimited requests from any IP, making it trivially cheap to abuse. - Invite token acceptance endpoints had no throttling, delay, or attempt counter, leaving them vulnerable to timing-based enumeration.
- No audit trail existed for failed or suspicious authentication attempts.
What Changed
Per-IP Rate Limiting on /api/auth/*
All routes under /api/auth/* are now rate-limited to 10 requests per minute per IP address. Requests exceeding this threshold are rejected before reaching the authentication handler.
This is enforced in src/middleware.ts and applies to:
- OAuth initiation requests
- OAuth callback routes
- Any other authentication-related endpoints under the
/api/auth/namespace
Audit Logging of Failed Authentication Events
Failed and suspicious authentication events are now recorded via the logAudit() function. This provides:
- A traceable record of repeated failed attempts
- Visibility into potential abuse patterns
- An audit trail for security review and incident response
Invite Token Enumeration Hardening
Invite token acceptance now includes a delay and/or attempt counter to prevent timing-based enumeration. Previously, an attacker could rapidly guess invite tokens with no observable penalty. The added friction makes systematic enumeration impractical.
Impact
| Attack Vector | Before v1.0.26 | After v1.0.26 |
|---|---|---|
| OAuth initiation flooding | Unlimited attempts | 10 req/min per IP |
| Invite token guessing | No throttle or delay | Delay + attempt counter |
| Failed auth visibility | No logging | Logged via logAudit() |
No Breaking Changes
This is a transparent security hardening update. Legitimate users operating within normal usage patterns will not be affected. No API contracts, request formats, or response schemas have changed.