Securing Auth Endpoints with Rate Limiting (SEC-14)
Securing Auth Endpoints with Rate Limiting (SEC-14)
Version: 1.0.56
Category: Infrastructure Security
Overview
As part of our ongoing security programme, Calmony Pay v1.0.56 introduces rate limiting on the NextAuth authentication endpoints and related tRPC routes. This addresses control SEC-14, which identified that /api/auth/* endpoints were reachable without any request throttling.
What Was the Risk?
Without rate limiting, any client could send an unbounded number of requests to the sign-in flow. This exposed three concrete risks:
| Risk | Description |
|---|---|
| Account enumeration | Repeated sign-in attempts can reveal whether an email address is registered. |
| Provider rate limit abuse | Upstream OAuth providers (e.g. Google, GitHub) impose their own rate limits; flooding our endpoints consumes that quota on behalf of legitimate users. |
| Brute-force amplification | Unrestricted requests to credential-based flows lower the cost of automated attacks. |
The same gap applied to the tRPC endpoints handling invite acceptance and organisation operations.
What Changed
Rate limiting middleware has been added to src/middleware.ts, running at the Vercel Edge layer. This means throttling is enforced before any application code or NextAuth handler is reached.
Enforced Limits
- Auth endpoints (
/api/auth/*): 10 requests per IP per minute - tRPC invite & org endpoints: throttled at the same layer
Implementation
The middleware uses Upstash Redis via the @upstash/ratelimit package — a serverless-compatible sliding window rate limiter. Each inbound request is identified by its source IP. If the limit is exceeded, the middleware short-circuits the request chain and returns:
HTTP 429 Too Many Requests
No application logic or database query is executed for rate-limited requests, keeping infrastructure costs flat under abuse conditions.
Middleware Placement
Inbound request
│
▼
┌─────────────────────────┐
│ src/middleware.ts │ ◄── Rate limit check (Edge)
│ @upstash/ratelimit │
└────────┬────────────────┘
│ Under limit
▼
┌─────────────────────────┐
│ NextAuth / tRPC handler │
└─────────────────────────┘
Configuration
The rate limiter requires the following environment variables to connect to Upstash Redis:
| Variable | Description |
|---|---|
UPSTASH_REDIS_REST_URL | REST endpoint URL for your Upstash Redis database |
UPSTASH_REDIS_REST_TOKEN | Auth token for the Upstash Redis REST API |
These can be provisioned from the Upstash Console and must be set in your Vercel project environment.
Impact on Legitimate Users
The 10-requests-per-minute ceiling is well above normal sign-in behaviour. A human user completing an OAuth flow generates 1–3 requests per attempt. The limit is designed to be invisible to legitimate traffic while blocking automated abuse.
If your deployment environment has specific requirements (e.g. higher limits for testing pipelines), the threshold can be adjusted in src/middleware.ts.