Login IP Throttle

Feature Description

This implementation adds IP-based rate limiting for login attempts on the /auth/wallet endpoint. Each IP address is limited to a configurable number of login attempts within a sliding time window to prevent brute force attacks.

API Changes

Login Endpoint

POST /auth/wallet

The wallet login endpoint is now protected by IP-based rate limiting:

• Default: 5 requests per 60 seconds per IP address
• Rate limit headers: Returns Retry-After header when throttled
• Response on throttling:

{
  "code": "TOO_MANY_REQUESTS",
  "message": "Too Many Requests",
  "requestId": "req-xxx",
  "retryAfterMs": 30000
}

Configuration

Environment variables (with defaults):

Behavior

Sliding Window

The rate limiter uses a sliding window approach. Each successful request increments a counter that expires after the configured window. When the counter reaches the limit, subsequent requests are rejected with 429.

IP Detection

• By default (no proxy), uses the direct socket connection IP
• When TRUST_PROXY_HEADERS=true, respects standard proxy headers (X-Forwarded-For, X-Real-IP, etc.) for accurate client IP detection behind load balancers

Per-IP Isolation

Rate limits are tracked independently per IP address. Multiple attackers from different IPs each get their own budget.

Security Considerations

• Rate limiting prevents credential stuffing and brute force attacks
• Response uses standardized error envelope (code, message, requestId)
• No IP addresses are exposed in error responses
• Structured logging includes client IP for monitoring and alerting
• Uses existing getClientIp utility for consistent IP extraction across the codebase

Test Coverage

• Unit tests for InMemoryLoginRateLimiter covering all edge cases
• Unit tests for createLoginThrottle middleware
• Tests for window expiry behavior
• Tests for per-IP isolation
• Tests for Retry-After header consistency

closes #516