Severity: Medium
Affected location: routes/auth.ts:49-69
Issue:
Login endpoint allows unlimited attempts, enabling password guessing attacks.
Mitigation plan:
- Add per-IP and per-account login attempt limits.
- Add progressive delay or temporary lockout after threshold.
- Emit structured security logs for repeated failures.
Verification / tests:
- Tests for throttling/lockout behavior after repeated failures.
- Ensure successful login still works after cooldown.
Severity: Medium
Affected location:
routes/auth.ts:49-69Issue:
Login endpoint allows unlimited attempts, enabling password guessing attacks.
Mitigation plan:
Verification / tests: