feat: IP-based rate limiting for login endpoint#585
Merged
greatest0fallt1me merged 1 commit intoJun 29, 2026
Merged
Conversation
- Create loginThrottle middleware for /auth/wallet endpoint - Add environment configuration (LOGIN_RATE_LIMIT_MAX_REQUESTS, LOGIN_RATE_LIMIT_WINDOW_MS) - Apply sliding window rate limit per IP address - Support proxy headers for accurate IP detection when TRUST_PROXY_HEADERS=true - Return 429 with Retry-After header when limit exceeded - Use standardized error envelope (code, message, requestId) - Add comprehensive unit tests for middleware and limiter class
|
@ayomidearegbeshola29-dev Great news! 🎉 Based on an automated assessment of this PR, the linked Wave issue(s) no longer count against your application limits. You can now already apply to more issues while waiting for a review of this PR. Keep up the great work! 🚀 |
4 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Login IP Throttle
Feature Description
This implementation adds IP-based rate limiting for login attempts on the
/auth/walletendpoint. Each IP address is limited to a configurable number of login attempts within a sliding time window to prevent brute force attacks.API Changes
Login Endpoint
POST /auth/wallet
The wallet login endpoint is now protected by IP-based rate limiting:
Retry-Afterheader when throttled{ "code": "TOO_MANY_REQUESTS", "message": "Too Many Requests", "requestId": "req-xxx", "retryAfterMs": 30000 }Configuration
Environment variables (with defaults):
LOGIN_RATE_LIMIT_MAX_REQUESTSLOGIN_RATE_LIMIT_WINDOW_MSTRUST_PROXY_HEADERSBehavior
Sliding Window
The rate limiter uses a sliding window approach. Each successful request increments a counter that expires after the configured window. When the counter reaches the limit, subsequent requests are rejected with 429.
IP Detection
TRUST_PROXY_HEADERS=true, respects standard proxy headers (X-Forwarded-For,X-Real-IP, etc.) for accurate client IP detection behind load balancersPer-IP Isolation
Rate limits are tracked independently per IP address. Multiple attackers from different IPs each get their own budget.
Security Considerations
code,message,requestId)getClientIputility for consistent IP extraction across the codebaseTest Coverage
InMemoryLoginRateLimitercovering all edge casescreateLoginThrottlemiddlewareRetry-Afterheader consistencycloses #516