Protecting Auth Endpoints with Rate Limiting (SEC-14)
Protecting Auth Endpoints with Rate Limiting (SEC-14)
Release: v1.0.415 · Category: Infrastructure Security
Overview
As part of our ongoing security programme, release v1.0.415 closes a significant gap identified under control SEC-14: the credentials sign-in and account registration endpoints had no rate limiting in place, leaving them open to the following attack vectors:
| Attack | Affected Endpoint | Risk |
|---|---|---|
| Brute-force password guessing | POST /api/auth/[...nextauth] (credentials provider) | Account takeover |
| Bulk account creation | registerUser server action | Abuse, spam |
| Email enumeration via timing | registerUser server action | Privacy / credential exposure |
What Changed
Middleware (src/middleware.ts)
The Next.js middleware now intercepts requests to both auth paths before they reach the NextAuth or server-action handler. A rate-limit check is applied using the platform's existing rateLimit() utility:
Paths protected:
/api/auth/credentials
/api/auth/register
Rate-limit parameters:
key = 'sign-in-attempt'
identifier = clientIp
max = 10 requests
windowMs = 60 000 ms (1 minute)
If the threshold is exceeded the middleware short-circuits the request and returns:
HTTP 429 Too Many Requests
Requests that remain within the limit are forwarded to the auth handler unchanged — there is no added latency for legitimate users.
registerUser Server Action
The same rateLimit() call is now placed at the top of the registerUser server action, keyed on the request IP, with identical max and windowMs values. This means rate limiting is enforced even when the action is invoked directly (e.g. via a Server Action call), not solely through the middleware layer.
Impact on Users
- Normal users — no change. Ten attempts per minute is well above the threshold for any legitimate sign-in or registration flow.
- Locked-out users — if the limit is hit (e.g. repeated failed sign-ins), the user should wait 60 seconds before trying again. The window resets automatically.
- API integrations — if you call the credentials sign-in or registration endpoints programmatically, ensure your retry logic respects
429responses and backs off accordingly.
Security Posture
This change mitigates the following OWASP categories:
- OAT-007 Credential Cracking — rate limiting caps password-guess throughput.
- OAT-010 Card Cracking / Account Creation — bulk registration is throttled per IP.
- Timing-based email enumeration — consistent early rejection prevents differential response-time analysis.
Rate limiting complements existing controls such as bcrypt password hashing and NextAuth session management, providing defence-in-depth at the network edge.