feat: rate-limit /auth/login, /register, /me/password (0.35.0)

A hand-rolled token-bucket limiter (5 req/sec, 10-request burst by default; AUTH_RATE_PER_SEC/AUTH_RATE_BURST env knobs) gates the three auth-mutation endpoints. One bucket per AppState so tests stay isolated. Tower-governor wasn't wired in because the reverse proxy doesn't yet forward client IPs — a global bucket gives equivalent brute-force protection until that lands. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-28 07:56:06 +02:00
parent e7662d18d6
commit 699c1d0d69
12 changed files with 382 additions and 4 deletions
--- a/backend/Cargo.toml
+++ b/backend/Cargo.toml
@@ -1,6 +1,6 @@
 [package]
 name = "mangalord"
-version = "0.34.0"
+version = "0.35.0"
 edition = "2021"
 default-run = "mangalord"