Add rate limiting to login endpoint to prevent brute force

Apply per-IP rate limiting (5 attempts/minute) to POST /login using golang.org/x/time/rate. Returns 429 Too Many Requests when exceeded. Closes #12
2026-02-15 14:04:52 -08:00
parent d4eae284b5
commit e8992d2311
3 changed files with 175 additions and 1 deletions
--- a/internal/server/routes.go
+++ b/internal/server/routes.go
@@ -39,7 +39,7 @@ func (s *Server) SetupRoutes() {

 	// Public routes
 	s.router.Get("/login", s.handlers.HandleLoginGET())
-	s.router.Post("/login", s.handlers.HandleLoginPOST())
+	s.router.With(s.mw.LoginRateLimit()).Post("/login", s.handlers.HandleLoginPOST())
 	s.router.Get("/setup", s.handlers.HandleSetupGET())
 	s.router.Post("/setup", s.handlers.HandleSetupPOST())