Skip to content

fix(security): rate-limit the public non-member apply route#159

Merged
sacha-l merged 1 commit into
developfrom
fix/rate-limit-non-member-apply
May 22, 2026
Merged

fix(security): rate-limit the public non-member apply route#159
sacha-l merged 1 commit into
developfrom
fix/rate-limit-non-member-apply

Conversation

@sacha-l
Copy link
Copy Markdown
Collaborator

@sacha-l sacha-l commented May 22, 2026

Summary

Adds a tight per-IP rate limit to the public, unauthenticated POST /:slug/applications/non-member route, which emails the team (info@ cc sacha@) on every call.

Before, it was only covered by the global limiter (200/min), so one IP could flood the team inbox. Now: 5 requests per 15 min per IP on this route only.

Why this is the only app-level spam surface worth tightening

  • It can not be used to spam arbitrary third parties — recipients are fixed (the applicant's address only appears in the email body), so it's not an open relay. Worst case was flooding our own inbox.
  • All admin email triggers (program-admin invite, etc.) are already auth-gated.
  • Magic-link sign-in emails are sent + rate-limited by Supabase, not this server.

Change

  • server/api/routes/program.routes.js: new nonMemberApplyLimiter (express-rate-limit, already a dep) applied to the non-member route. Generous for a real applicant (incl. retries), tight enough to kill a flood.

Test plan

  • npm test — 36 files, 291 pass (no regressions).
  • Manual: 6th submission from one IP within 15 min returns 429 with the friendly message.

Related hardening (not in this PR — yours)

  • Enable CAPTCHA (Turnstile/hCaptcha) on Supabase Auth to stop automated magic-link abuse.
  • Add a DMARC DNS record for joinwebzero.com.

@sacha-l
fix(security): rate-limit the public non-member apply route
59f5a57 
The unauthenticated POST /:slug/applications/non-member route emails the
team on every call and was only under the generous global 200/min limiter,
so a single IP could flood the inbox. Add a tight per-IP limiter
(5 per 15 min) on this route only. It can't relay to arbitrary addresses
(fixed recipients), so this just stops inbox flooding.
@vercel
Copy link
Copy Markdown

vercel Bot commented May 22, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
stadium Ready Ready Preview, Comment May 22, 2026 4:58pm

@sacha-l sacha-l marked this pull request as ready for review May 22, 2026 17:36
@sacha-l sacha-l merged commit 96d9455 into develop May 22, 2026
2 checks passed
This was referenced May 22, 2026
Closed
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@sacha-l