Problem
Authentication and sensitive account endpoints do not appear to have rate limiting, brute-force protection, or abuse controls.
Why this is not production ready
Open login, signup, token refresh, password change, account deletion, and social login endpoints can be abused for password guessing, account enumeration, token refresh flooding, and resource exhaustion.
Evidence
- No rate limiter, throttling middleware, IP/account lockout, CAPTCHA/escalation, or abuse detection was found in security configuration or controllers.
/sign-up, /login, and social OAuth login endpoints are public.- Login failure handling returns immediately without visible throttling or structured audit logic.
Required work
- Add rate limits for public auth endpoints by IP and account/email where applicable.
- Add progressive delay or lockout policy for repeated failed local-login attempts.
- Add refresh-token endpoint/request throttling.
- Audit account deletion and password change attempts.
- Avoid user enumeration in public auth responses.
- Add metrics/alerts for suspicious auth activity.
Acceptance criteria
- Repeated failed login attempts are throttled and visible in metrics/logs.
- Rate limits are configurable per environment.
- Public auth endpoints have tests for exceeding limits.
- Error responses do not reveal whether an email/account exists unless intentionally allowed.
Problem
Authentication and sensitive account endpoints do not appear to have rate limiting, brute-force protection, or abuse controls.
Why this is not production ready
Open login, signup, token refresh, password change, account deletion, and social login endpoints can be abused for password guessing, account enumeration, token refresh flooding, and resource exhaustion.
Evidence
/sign-up,/login, and social OAuth login endpoints are public.Required work
Acceptance criteria