security(auth): add rate limiting to token login endpoint

2026-06-03 04:40:09 +00:00 · 2026-03-12 17:45:25 +00:00
parent 81712ad3ce
commit d73d13aa26
3 changed files with 130 additions and 6 deletions
@@ -7,12 +7,25 @@ import { NextRequest, NextResponse } from 'next/server';
 import { prisma } from '@/lib/db';
 import { generateAccessToken, generateRefreshToken } from '@/lib/utils/jwt';
 import { RMABLogger } from '@/lib/utils/logger';
+import { checkTokenLoginRateLimit } from '@/lib/utils/authRateLimit';
 import crypto from 'crypto';

 const logger = RMABLogger.create('API.Auth.TokenLogin');

 export async function POST(request: NextRequest) {
  try {
+    const ip = request.headers.get('x-forwarded-for') ?? 'unknown';
+    const rateLimit = checkTokenLoginRateLimit(ip);
+    if (!rateLimit.allowed) {
+      return NextResponse.json(
+        { error: 'Too many login attempts. Please try again later.' },
+        {
+          status: 429,
+          headers: { 'Retry-After': String(rateLimit.retryAfterSeconds) },
+        }
+      );
+    }
+
    const { token } = await request.json();

    if (!token) {