Skip to content

[P6.4.2] Rate-limit /auth/jwt/login and /auth/register (credential brute-force) #644

Description

@frankbria

Problem

The login endpoint has no rate limiting, enabling unthrottled credential brute-force.

The SlowAPI Limiter is constructed with no default_limits/application_limits, so it only throttles routes carrying an explicit decorator. The /auth/jwt/login route is mounted via the fastapi-users library (fastapi_users.get_auth_router(...)) with no wrapping, so the existing rate_limit_auth() decorator (10/min) is never applied to it. Registration and any password-reset/verification flows share the same gap.

Evidence

  • codeframe/lib/rate_limiter.py:162Limiter(...) constructed without default_limits/application_limits
  • codeframe/lib/rate_limiter.py:272rate_limit_auth() exists but is not applied to the login route
  • codeframe/auth/router.py:58-63 — auth router mounted via library, undecorated

Fix

  • Apply an auth-tier limit to login/register (and reset/verify) — either set application_limits/default_limits on the Limiter, or wrap the fastapi-users auth router behind a dependency that invokes the auth limiter.

Acceptance criteria

  • /auth/jwt/login returns 429 after exceeding the auth-tier limit.
  • /auth/register is likewise limited.
  • Test asserts 429 under repeated attempts.

Source: release-readiness audit 2026-06-13 (security agent, finding H2).

Metadata

Metadata

Assignees

No one assigned

    Labels

    P0-blocker-betaCritical blocker - must fix before beta testingphase-6.4Phase 6.4: Security & release-hygiene beta blockerssecurity

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions