Problem
The login endpoint has no rate limiting, enabling unthrottled credential brute-force.
The SlowAPI Limiter is constructed with no default_limits/application_limits, so it only throttles routes carrying an explicit decorator. The /auth/jwt/login route is mounted via the fastapi-users library (fastapi_users.get_auth_router(...)) with no wrapping, so the existing rate_limit_auth() decorator (10/min) is never applied to it. Registration and any password-reset/verification flows share the same gap.
Evidence
codeframe/lib/rate_limiter.py:162 — Limiter(...) constructed without default_limits/application_limits
codeframe/lib/rate_limiter.py:272 — rate_limit_auth() exists but is not applied to the login route
codeframe/auth/router.py:58-63 — auth router mounted via library, undecorated
Fix
- Apply an auth-tier limit to login/register (and reset/verify) — either set
application_limits/default_limits on the Limiter, or wrap the fastapi-users auth router behind a dependency that invokes the auth limiter.
Acceptance criteria
Source: release-readiness audit 2026-06-13 (security agent, finding H2).
Problem
The login endpoint has no rate limiting, enabling unthrottled credential brute-force.
The SlowAPI
Limiteris constructed with nodefault_limits/application_limits, so it only throttles routes carrying an explicit decorator. The/auth/jwt/loginroute is mounted via the fastapi-users library (fastapi_users.get_auth_router(...)) with no wrapping, so the existingrate_limit_auth()decorator (10/min) is never applied to it. Registration and any password-reset/verification flows share the same gap.Evidence
codeframe/lib/rate_limiter.py:162—Limiter(...)constructed withoutdefault_limits/application_limitscodeframe/lib/rate_limiter.py:272—rate_limit_auth()exists but is not applied to the login routecodeframe/auth/router.py:58-63— auth router mounted via library, undecoratedFix
application_limits/default_limitson theLimiter, or wrap the fastapi-users auth router behind a dependency that invokes the auth limiter.Acceptance criteria
/auth/jwt/loginreturns429after exceeding the auth-tier limit./auth/registeris likewise limited.Source: release-readiness audit 2026-06-13 (security agent, finding H2).