Security Update: Rate Limiting Now Enforced on Authentication Endpoints
Security Update: Rate Limiting Now Enforced on Authentication Endpoints
Version: 0.1.50
Category: Security — OWASP SEC-08 (Insecure Design)
What changed
As of v0.1.50, IP-based rate limiting is enforced on all authentication-related routes:
/api/auth/[...nextauth]/sign-in/sign-up
Previously, these routes were listed as public routes in middleware.ts and received no rate limiting. The RATE_LIMITS.auth tier already existed in src/lib/rate-limit.ts but was not wired into any auth handler. That gap is now closed.
Why this matters
The platform uses OAuth-only authentication, which eliminates the classic password brute-force attack surface. However, without rate limiting on auth endpoints, an attacker could still:
- Make a high volume of OAuth initiation requests to attempt token harvesting
- Abuse upstream OAuth provider rate limits on behalf of the platform's credentials
- Generate noise that obscures legitimate authentication activity in audit logs
Applying the RATE_LIMITS.auth tier to these routes mitigates all three vectors.
How it works
Requests to /api/auth/* now pass through withRateLimit(RATE_LIMITS.auth) in middleware.ts before being forwarded to NextAuth. Requests that exceed the configured threshold for a given IP address receive a 429 Too Many Requests response. Legitimate users performing normal sign-in flows will not be affected.
Incoming request to /api/auth/*
│
▼
withRateLimit(RATE_LIMITS.auth) ◄── enforced in middleware.ts
│
┌─────┴─────┐
│ │
Allowed Blocked (429)
│
▼
NextAuth handler
Configuration
The rate limit thresholds are defined in src/lib/rate-limit.ts under the RATE_LIMITS.auth key. No environment variable changes are required for this release.
Compliance
This change addresses OWASP SEC-08: Insecure Design by ensuring that authentication endpoints have a defined and enforced resource consumption policy, consistent with OWASP's guidance on rate limiting sensitive operations.