feat(passkeys): add rate limiter on the /options endpoint for authentication#2422
feat(passkeys): add rate limiter on the /options endpoint for authentication#2422
/options endpoint for authentication#2422Conversation
![depthfirst-app[bot]](https://avatars.githubusercontent.com/in/1021002?s=60&v=4){kind=small}
| r.Post("/options", api.PasskeyAuthenticationOptions) | ||
| r.With(api.limitHandler(api.limiterOpts.PasskeyAuthentication)). | ||
| Post("/options", api.PasskeyAuthenticationOptions) | ||
| r.Post("/verify", api.PasskeyAuthenticationVerify) |
There was a problem hiding this comment.
⚪ Severity: LOW
The /passkeys/authentication/verify endpoint lacks rate limiting. While WebAuthn is resistant to brute force, authentication endpoints should consistently apply rate limiting to mitigate automated abuse and align with the security posture of other verification routes in the API.
Helpful? Add 👍 / 👎
💡 Fix Suggestion
Suggestion: Apply the same limitHandler middleware to the /verify route that is already used for the /options route. Replace the plain r.Post("/verify", ...) call with a r.With(api.limitHandler(api.limiterOpts.PasskeyAuthentication)).Post(...) call, consistent with how other verification endpoints (e.g., /verify, /factor/verify) are rate-limited throughout the API.
⚠️ Experimental Feature: This code suggestion is automatically generated. Please review carefully.
| r.Post("/verify", api.PasskeyAuthenticationVerify) | |
| r.With(api.limitHandler(api.limiterOpts.PasskeyAuthentication)). | |
| Post("/verify", api.PasskeyAuthenticationVerify) |
2 participants
Adds rate limiter to the
/passkeys/authentication/optionsendpoint to restrict challenge creation.