Security Update: Rate Limiting & Authentication Hardening (SEC-08)
Security Update: Rate Limiting & Authentication Hardening (SEC-08)
Version: 1.0.46 OWASP Control: SEC-08 — Insecure Design
Overview
Calmony Pay v1.0.46 delivers a targeted security hardening update addressing OWASP control SEC-08. This control covers insecure design patterns — in this case, the lack of brute-force protection, account lockout, and authentication event logging on the platform's authentication endpoints.
While Calmony Pay uses OAuth exclusively (direct password login is not enabled), the absence of rate limiting and attempt tracking left several attack surfaces open to abuse. This release closes those gaps.
What Was the Risk?
Prior to this release:
- Unlimited OAuth initiation attempts were possible from any IP address, enabling an attacker to repeatedly hammer the OAuth flow without consequence.
- Invite token guessing had no attempt counter or artificial delay, making it feasible to enumerate valid tokens using timing-based techniques.
- No authentication event logging meant suspicious or failed authentication attempts left no audit trail, making detection and incident response difficult.
What Changed
Per-IP Rate Limiting on /api/auth/*
All routes under /api/auth/* are now subject to per-IP rate limiting, capped at 10 requests per minute. Requests exceeding this threshold will be rejected before reaching the authentication handler.
This is enforced at the middleware layer (src/middleware.ts), ensuring consistent coverage across all authentication entry points regardless of the underlying provider.
Rate limit: 10 requests / minute / IP
Scope: /api/auth/* (all authentication routes)
Enforcement: src/middleware.ts
Authentication Audit Logging
Failed and anomalous authentication events are now passed to logAudit(), creating a persistent, queryable record of authentication activity. This supports:
- Post-incident forensic investigation
- Detection of sustained brute-force or enumeration campaigns
- Compliance and audit requirements
Invite Token Hardening
The invite token acceptance flow now includes a delay and/or attempt counter to neutralise timing-based enumeration. This prevents attackers from using response timing differences to infer the validity of a guessed token.
Files Changed
| File | Change |
|---|---|
src/middleware.ts | Added per-IP rate limiting on /api/auth/*; integrated logAudit() for failed auth events; added delay/counter to invite token flow |
Impact on Existing Integrations
Legitimate usage of the authentication flow is unaffected under normal conditions. The 10 requests/minute per-IP ceiling is well above the threshold for any standard OAuth interaction. No API contract changes were made.
If you operate automated tooling or test suites that initiate a high volume of authentication requests from a single IP, you should ensure those are throttled to remain within the rate limit.
Related Controls
This change is part of Calmony Pay's ongoing OWASP-aligned security review programme. Each control is tracked and addressed as a discrete, auditable release.