Description
The POST /auth/signup and POST /auth/login endpoints have zero rate limiting. An unauthenticated attacker can repeatedly hammer these endpoints to:
- Enumerate valid email addresses (signup returns "Email already exists" vs login returns "Invalid credentials" with different timing or behavior)
- Conduct credential stuffing / brute force attacks against known accounts
- Waste server resources
Affected Files
backend/app/routers/auth.py:18 — signup endpointbackend/app/routers/auth.py:40 — login endpoint
Expected Behavior
Apply per-IP rate limits to auth endpoints (e.g., 5 attempts per minute per IP using slowapi or a custom middleware). Return 429 Too Many Requests when the limit is exceeded.
Labels
type:bug, level:intermediate, gssoc2026
Description
The
POST /auth/signupandPOST /auth/loginendpoints have zero rate limiting. An unauthenticated attacker can repeatedly hammer these endpoints to:Affected Files
backend/app/routers/auth.py:18—signupendpointbackend/app/routers/auth.py:40—loginendpointExpected Behavior
Apply per-IP rate limits to auth endpoints (e.g., 5 attempts per minute per IP using
slowapior a custom middleware). Return429 Too Many Requestswhen the limit is exceeded.Labels
type:bug, level:intermediate, gssoc2026