Fixed Unrestricted Authentication Endpoint

[Krish3017]

Team Number : Team 152

Description

Implemented comprehensive rate limiting on authentication endpoints to protect against brute-force attacks, account enumeration, and denial-of-service attacks. This security enhancement adds request throttling to login and registration endpoints, along with global API rate limiting.

Related Issue

Closes #67

Type of Change

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• Documentation update
• Code refactoring
• Performance improvement
• Style/UI improvement

Changes Made

• Installed express-rate-limit package for implementing rate limiting
• Created src/config/rateLimiter.js with three rate limiter configurations:
  • authLimiter: 5 requests per 15 minutes for login endpoint
  • registerLimiter: 3 requests per 60 minutes for registration endpoint
  • apiLimiter: 100 requests per 15 minutes for all API routes
• Applied authLimiter to /api/auth/login endpoint in src/routes/auth.routes.js
• Applied registerLimiter to /api/auth/register endpoint in src/routes/auth.routes.js
• Applied global apiLimiter to all /api/* routes in src/app.js
• Configured standard RateLimit headers and disabled legacy X-RateLimit headers

Testing

• Tested on Desktop (Chrome/Firefox/Safari)
• Tested on Mobile (iOS/Android)
• Tested responsive design (different screen sizes)
• No console errors or warnings
• Code builds successfully (npm run build)
• Verified rate limiting returns HTTP 429 when limits exceeded
• Confirmed proper error messages are returned
• Tested that RateLimit-* headers are present in responses

Checklist

• My code follows the project's code style guidelines
• I have performed a self-review of my code
• I have commented my code where necessary
• My changes generate no new warnings
• I have tested my changes thoroughly
• All TypeScript types are properly defined
• Tailwind CSS classes are used appropriately (no inline styles)
• Component is responsive across different screen sizes
• I have read and followed the CONTRIBUTING.md guidelines

Additional Notes

This implementation follows OWASP security best practices for authentication rate limiting. The rate limits are configured conservatively:

• Login: 5 attempts per 15 minutes (prevents brute force attacks)
• Register: 3 attempts per 60 minutes (prevents spam account creation)
• General API: 100 requests per 15 minutes (prevents DoS attacks)

These limits can be adjusted based on actual usage patterns and requirements. The implementation uses sliding window rate limiting for better accuracy and returns standardized RateLimit-* headers to inform clients of their current rate limit status.

[krishnapaljadeja]

✅ PR Validation Passed

Hey @Krish3017! Your PR looks good. Here is what we found:

Field	Value
Team Number	Team 152
Linked Issue	Closes #67

A maintainer will review your PR within 24–48 hours. Stay responsive to feedback!

GDG CHARUSAT Open Source Contri Sprintathon

[krishnapaljadeja]

@Krish3017 can you please remove package-lock.json from the commit and rebase it.thankyou

[krishnapaljadeja]

🎉 PR Merged — Points Awarded!

Congratulations @Krish3017! Your contribution has been merged.

Field	Value
Repo	Code_duel_backend
Team	Team 152
Contributor	@Krish3017
Level	Level 1 — Beginner
Points Awarded	5 pts
Source	Linked Issue #67

The central leaderboard has been updated. Keep contributing!

GDG CHARUSAT Open Source Contri Sprintathon