Merge pull request #77 from indrasuthar07/rate-limiting

04shubham7 · web-flow · commit 02ceb95986f3 · 2025-11-15T19:38:45.000+05:30
feat: rate limiting on auth
diff --git a/backend/package-lock.json b/backend/package-lock.json
diff --git a/backend/package.json b/backend/package.json
@@ -17,6 +17,7 @@
     "cors": "^2.8.5",
     "dotenv": "^17.2.3",
     "express": "^5.1.0",
+    "express-rate-limit": "^8.2.1",
     "jsonwebtoken": "^9.0.2",
     "mongodb": "^6.20.0",
     "mongoose": "^8.19.4",
diff --git a/backend/src/app.ts b/backend/src/app.ts
@@ -14,6 +14,9 @@ import path from "path";
 dotenv.config();
 const app = express();
 
+if (process.env.TRUST_PROXY === "true") {
+  app.set("trust proxy", true);
+}
 // Required for __dirname in ES modules / TS
 // (TS compiles to CJS so this works fine)
 const __dirnameLocal = path.resolve();
diff --git a/backend/src/middleware/rateLimiter.ts b/backend/src/middleware/rateLimiter.ts
@@ -0,0 +1,30 @@
+import rateLimit from "express-rate-limit";
+import type { Request, Response } from "express";
+import logger from "../utils/logger.js";
+
+export const authRateLimiter = rateLimit({
+  windowMs: 15 * 60 * 1000, 
+  max: 5,
+  standardHeaders: true, 
+  legacyHeaders: false, 
+  handler: (req: Request, res: Response) => {
+    const clientIP = req.ip || req.socket.remoteAddress || "unknown";
+    logger.warn(
+      `Rate limit exceeded for IP: ${clientIP} on ${req.method} ${req.originalUrl}`
+    );
+    
+    const retryAfter = req.rateLimit?.resetTime 
+      ? Math.round((req.rateLimit.resetTime - Date.now()) / 1000)
+      : 900; 
+    
+    res.status(429).json({
+      success: false,
+      message: "Too many authentication attempts. Please try again after 15 minutes.",
+      retryAfter,
+    });
+  },
+  keyGenerator: (req: Request) => {
+    return req.ip || req.socket.remoteAddress || "unknown";
+  },
+});
+
diff --git a/backend/src/routes/authRoutes.ts b/backend/src/routes/authRoutes.ts
@@ -9,6 +9,7 @@ import {
 import passport from "passport";
 import { Session } from "../models/sessionModel.js";
 import { protect } from "../middleware/authMiddleware.js";
+import { authRateLimiter } from "../middleware/rateLimiter.js";
 import { generateToken, generateRefreshToken } from "../utils/generateToken.js";
 import jwt from "jsonwebtoken";
 import dotenv from "dotenv";
@@ -20,9 +21,8 @@ dotenv.config();
 const router = express.Router();
 const FRONTEND_URL = process.env.FRONTEND_URL || "http://localhost:5173";
 
-// REST endpoints
-router.post("/signup", registerUser);
-router.post("/signin", loginUser);
+router.post("/signup", authRateLimiter, registerUser);
+router.post("/signin", authRateLimiter, loginUser);
 router.post("/logout", logoutUser);
 router.get("/refresh", handleRefreshToken);
 router.get("/me", protect, getUserProfile);
diff --git a/frontend/src/pages/Signin.tsx b/frontend/src/pages/Signin.tsx
@@ -54,12 +54,23 @@ const SignIn = () => {
       reset();
       navigate("/"); // redirect to home/dashboard
     } catch (error: any) {
-      toast({
-        title: "Error",
-        description:
-          error.response?.data?.message || "Login failed. Please try again.",
-        variant: "destructive",
-      });
+      // Handle rate limiting errors
+      if (error.response?.status === 429) {
+        const retryAfter = error.response?.data?.retryAfter || 15;
+        const minutes = Math.ceil(retryAfter / 60);
+        toast({
+          title: "Too Many Attempts",
+          description: `Too many login attempts. Please try again after ${minutes} minute${minutes > 1 ? 's' : ''}.`,
+          variant: "destructive",
+        });
+      } else {
+        toast({
+          title: "Error",
+          description:
+            error.response?.data?.message || "Login failed. Please try again.",
+          variant: "destructive",
+        });
+      }
     } finally {
       setIsLoading(false);
     }
diff --git a/frontend/src/pages/Signup.tsx b/frontend/src/pages/Signup.tsx
@@ -83,16 +83,30 @@ const SignUp = () => {
       reset();
       setTimeout(() => navigate("/signin"), 1500);
     } catch (error: any) {
-      const msg =
-        error.response?.data?.message ||
-        "Registration failed. Please try again.";
-      toast({
-        title: "Error",
-        description: msg,
-        variant: "destructive",
-      });
-      setServerMessage(msg);
-      setIsError(true);
+      // Handle rate limiting errors
+      if (error.response?.status === 429) {
+        const retryAfter = error.response?.data?.retryAfter || 15;
+        const minutes = Math.ceil(retryAfter / 60);
+        const msg = `Too many registration attempts. Please try again after ${minutes} minute${minutes > 1 ? 's' : ''}.`;
+        toast({
+          title: "Too Many Attempts",
+          description: msg,
+          variant: "destructive",
+        });
+        setServerMessage(msg);
+        setIsError(true);
+      } else {
+        const msg =
+          error.response?.data?.message ||
+          "Registration failed. Please try again.";
+        toast({
+          title: "Error",
+          description: msg,
+          variant: "destructive",
+        });
+        setServerMessage(msg);
+        setIsError(true);
+      }
     } finally {
       setIsLoading(false);
     }
