Skip to content

fix(registration): rate limit the register endpoint#52

Merged
Bccorb merged 1 commit into
mainfrom
fix/registration-rate-limit
Jul 3, 2026
Merged

fix(registration): rate limit the register endpoint#52
Bccorb merged 1 commit into
mainfrom
fix/registration-rate-limit

Conversation

@Bccorb

@Bccorb Bccorb commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

Summary

POST /registration/register had no rate limiting, while every other unauthenticated credential-issuing route (OTP, magic link) and the peer /registration/phone route already applied limiters. This left an unthrottled path for registration/OTP spam and account enumeration against the endpoint.

This applies the existing shared limiters to the route:

  • otpIpLimiter — 10 requests / 15 min per IP
  • otpIdentityLimiter — 5 requests / 15 min per identity (keys on the request-body email, falls back to IP)

No new limiter code: it reuses src/middleware/rateLimit.ts, whose getOtpIdentityKey already reads body.email.

Security context

Found during a security survey of the passwordless auth flows. Severity: medium. This is the only unauthenticated credential-issuing endpoint that was missing rate limiting.

Testing

  • npm run typecheck, npm run lint — clean
  • Full suite via pre-commit gate: 486 passed, 3 skipped
  • Registration integration tests (13) pass; the test-env limiter mock keeps them deterministic

Notes

Behavior change: clients exceeding the limits now receive 429. Non-contract (no route/schema/status-code changes on the success path).

Apply the shared per-IP and per-identity OTP limiters to
POST /registration/register, which previously had no rate limiting.
This closes an unthrottled path for registration/OTP spam and
account enumeration. The peer /registration/phone route already
used these limiters.
@codecov-commenter

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

@Bccorb Bccorb merged commit 557a3b1 into main Jul 3, 2026
2 of 3 checks passed
@Bccorb Bccorb deleted the fix/registration-rate-limit branch July 3, 2026 15:38
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants