jack/PocketVeto
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

security: brute-force protection on auth endpoints (v1.1.0)

Browse Source 
- Nginx rate limit: 20 req/min per IP on /api/auth/login and /register
- slowapi rate limit: 10/min on login, 5/hour on register (Redis-backed)
- Real client IP extracted from X-Forwarded-For for accurate per-IP limiting

Authored by: Jack Levy
This commit is contained in:
Jack Levy
2026-03-15 18:07:53 -04:00
parent 47bc8babc2
commit d6ebbf75d0
5 changed files with 44 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
backend/app/main.py
View File

@@ -1,8 +1,11 @@
from fastapi import FastAPI
from fastapi.middleware.cors import CORSMiddleware
from slowapi import _rate_limit_exceeded_handler
from slowapi.errors import RateLimitExceeded
from app.api import bills, members, follows, dashboard, search, settings, admin, health, auth, notifications, notes, collections, share, alignment
from app.config import settings as config
from app.core.limiter import limiter
app = FastAPI(
title="PocketVeto",
@@ -10,6 +13,9 @@ app = FastAPI(
version="1.0.0",
)
app.state.limiter = limiter
app.add_exception_handler(RateLimitExceeded, _rate_limit_exceeded_handler)
app.add_middleware(
CORSMiddleware,
allow_origins=[o for o in [config.LOCAL_URL, config.PUBLIC_URL] if o],