Add rate limiting to login endpoint to prevent brute force

Apply per-IP rate limiting (5 attempts/minute) to POST /login using golang.org/x/time/rate. Returns 429 Too Many Requests when exceeded. Closes #12
2026-02-15 14:04:52 -08:00
parent 3a2bd0e51d
commit 66661d1b1d
3 changed files with 175 additions and 1 deletions
--- a/internal/server/routes.go
+++ b/internal/server/routes.go
@@ -46,7 +46,7 @@ func (s *Server) SetupRoutes() {

 		// Public routes
 		r.Get("/login", s.handlers.HandleLoginGET())
-		r.Post("/login", s.handlers.HandleLoginPOST())
+		r.With(s.mw.LoginRateLimit()).Post("/login", s.handlers.HandleLoginPOST())
 		r.Get("/setup", s.handlers.HandleSetupGET())
 		r.Post("/setup", s.handlers.HandleSetupPOST())