gdg-charusat · krishnapaljadeja · Feb 28, 2026 · Feb 27, 2026 · Feb 27, 2026 · Feb 28, 2026
diff --git a/src/app.js b/src/app.js
@@ -5,6 +5,7 @@ const responseTime = require("response-time");
 const { config } = require("./config/env");
 const { errorHandler, notFound } = require("./middlewares/error.middleware");
 const logger = require("./utils/logger");
+const { apiLimiter } = require("./config/rateLimiter");
 
 const adminRoutes = require("./routes/admin.routes");
 
@@ -48,6 +49,15 @@ const createApp = () => {
   app.use(express.json());
   app.use(express.urlencoded({ extended: true }));
 
+  // Request logging middleware
+  app.use((req, res, next) => {
+    // logger.info(`${req.method} ${req.path}`);
+    next();
+  });
+
+  // Apply rate limiting to all API routes
+  app.use("/api/", apiLimiter);
+
   // Health check endpoint
   app.get("/health", (req, res) => {
     res.status(200).json({

diff --git a/src/config/rateLimiter.js b/src/config/rateLimiter.js
@@ -0,0 +1,39 @@
+const rateLimit = require('express-rate-limit');
+
+// Authentication endpoints (login) - strict limiting
+const authLimiter = rateLimit({
+    windowMs: 15 * 60 * 1000, // 15 minutes
+    max: 5, // 5 requests per windowMs
+    message: {
+        success: false,
+        message: 'Too many authentication attempts. Please try again later.',
+    },
+    standardHeaders: true, // Return rate limit info in the `RateLimit-*` headers
+    legacyHeaders: false, // Disable the `X-RateLimit-*` headers
+});
+
+// Registration endpoint - more strict to prevent spam accounts
+const registerLimiter = rateLimit({
+    windowMs: 60 * 60 * 1000, // 60 minutes
+    max: 3, // 3 requests per windowMs
+    message: {
+        success: false,
+        message: 'Too many registration attempts. Please try again later.',
+    },
+    standardHeaders: true,
+    legacyHeaders: false,
+});
+
+// General API endpoints - lenient limiting
+const apiLimiter = rateLimit({
+    windowMs: 15 * 60 * 1000, // 15 minutes
+    max: 100, // 100 requests per windowMs
+    message: {
+        success: false,
+        message: 'Too many requests from this IP. Please try again later.',
+    },
+    standardHeaders: true,
+    legacyHeaders: false,
+});
+
+module.exports = { authLimiter, registerLimiter, apiLimiter };
diff --git a/src/routes/auth.routes.js b/src/routes/auth.routes.js
@@ -2,6 +2,7 @@ const express = require("express");
 const router = express.Router();
 const authController = require("../controllers/auth.controller");
 const { authenticate } = require("../middlewares/auth.middleware");
+const { authLimiter, registerLimiter } = require("../config/rateLimiter");
 
 /**
  * @route   POST /api/auth/register
@@ -10,6 +11,7 @@ const { authenticate } = require("../middlewares/auth.middleware");
  */
 router.post(
   "/register",
+  registerLimiter,
   authController.validateRegister,
   authController.register
 );
@@ -19,7 +21,7 @@ router.post(
  * @desc    Login user
  * @access  Public
  */
-router.post("/login", authController.validateLogin, authController.login);
+router.post("/login", authLimiter, authController.validateLogin, authController.login);
 
 /**
  * @route   POST /api/auth/forgot-password