feat: rate-limit /auth/login, /register, /me/password (0.35.0)
A hand-rolled token-bucket limiter (5 req/sec, 10-request burst by default; AUTH_RATE_PER_SEC/AUTH_RATE_BURST env knobs) gates the three auth-mutation endpoints. One bucket per AppState so tests stay isolated. Tower-governor wasn't wired in because the reverse proxy doesn't yet forward client IPs — a global bucket gives equivalent brute-force protection until that lands. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
MechaCat02
2
backend/Cargo.lock
generated
2
backend/Cargo.lock
generated
@@ -1470,7 +1470,7 @@ checksum = "c41e0c4fef86961ac6d6f8a82609f55f31b05e4fce149ac5710e439df7619ba4"
|
||||
|
||||
[[package]]
|
||||
name = "mangalord"
|
||||
version = "0.34.0"
|
||||
version = "0.35.0"
|
||||
dependencies = [
|
||||
"anyhow",
|
||||
"argon2",
|
||||
|
||||
Reference in New Issue
Block a user