security: brute-force protection on auth endpoints (v1.1.0)

- Nginx rate limit: 20 req/min per IP on /api/auth/login and /register - slowapi rate limit: 10/min on login, 5/hour on register (Redis-backed) - Real client IP extracted from X-Forwarded-For for accurate per-IP limiting Authored by: Jack Levy
2026-03-15 18:07:53 -04:00
parent 47bc8babc2
commit d6ebbf75d0
5 changed files with 44 additions and 3 deletions
--- a/backend/requirements.txt
+++ b/backend/requirements.txt
@@ -44,6 +44,10 @@ python-jose[cryptography]==3.3.0
 passlib[bcrypt]==1.7.4
 bcrypt==4.0.1

+# Rate limiting
+slowapi==0.1.9
+limits==3.13.0
+
 # Utilities
 python-dateutil==2.9.0
 tiktoken==0.8.0