Context
advisor_update.md flags auth endpoints and the lead form as abuse surfaces. The lead API now uses lib/rate-limit.ts, but the email/password auth forms still rely primarily on Supabase Auth defaults and client-side submission behavior.
Acceptance criteria
- Document what Supabase Auth already rate-limits for sign-in, sign-up, password reset, and resend verification.
- Add app-side throttling or UX-level cooldowns where Supabase defaults are insufficient for launch.
- Ensure the lead route keeps its existing rate-limit coverage.
- Surface friendly errors for throttled auth actions without leaking account existence.
- Add focused tests where the chosen implementation is local code.
References
advisor_update.md Security / hardening: No rate limitinglib/rate-limit.tsapp/api/leads/route.ts
Context
advisor_update.mdflags auth endpoints and the lead form as abuse surfaces. The lead API now useslib/rate-limit.ts, but the email/password auth forms still rely primarily on Supabase Auth defaults and client-side submission behavior.Acceptance criteria
References
advisor_update.mdSecurity / hardening: No rate limitinglib/rate-limit.tsapp/api/leads/route.ts