feat: add per-IP rate limiting to login endpoint #78

Open

clawbot wants to merge 2 commits from feature/login-rate-limit into main

Author	SHA1	Message	Date
clawbot	d0e925bf70	docs: add reverse proxy security note to login rate limiting section All checks were successful check / check (push) Successful in 1m8s Details	2026-03-17 04:49:49 -07:00
user	e519ffa1e6	feat: add per-IP rate limiting to login endpoint Add a token-bucket rate limiter (golang.org/x/time/rate) that limits login attempts per client IP on POST /api/v1/login. Returns 429 Too Many Requests with a Retry-After header when the limit is exceeded. Configurable via LOGIN_RATE_LIMIT (requests/sec, default 1) and LOGIN_RATE_BURST (burst size, default 5). Stale per-IP entries are automatically cleaned up every 10 minutes. Only the login endpoint is rate-limited per sneak's instruction — session creation and registration use hashcash proof-of-work instead.	2026-03-17 04:48:46 -07:00

Author

SHA1

Message

Date

clawbot

d0e925bf70

docs: add reverse proxy security note to login rate limiting section

check / check (push) Successful in 1m8s

Details

2026-03-17 04:49:49 -07:00

user

e519ffa1e6

feat: add per-IP rate limiting to login endpoint

Add a token-bucket rate limiter (golang.org/x/time/rate) that limits
login attempts per client IP on POST /api/v1/login. Returns 429 Too
Many Requests with a Retry-After header when the limit is exceeded.

Configurable via LOGIN_RATE_LIMIT (requests/sec, default 1) and
LOGIN_RATE_BURST (burst size, default 5). Stale per-IP entries are
automatically cleaned up every 10 minutes.

Only the login endpoint is rate-limited per sneak's instruction —
session creation and registration use hashcash proof-of-work instead.

2026-03-17 04:48:46 -07:00

feat: add per-IP rate limiting to login endpoint #78

2 Commits