feat: add rate limiting to auth routes via dedicated rateLimiter midd…

[jikrana1]

📋 Pull Request — Add Rate Limiting to Auth Routes

🔗 Related Issue

Closes #235 — Add rate limiting to auth routes (login, signup, refresh-token) to prevent brute-force attacks

---

📝 Summary

The auth routes (/login, /signup, /verify-signup, /forgot-password, /reset-password, /refresh-token) had no rate limiting applied, making them vulnerable to brute-force attacks and spam. This PR adds a dedicated middleware/rateLimiter.js file with route-specific limiters and applies them to all sensitive auth endpoints.

---

🐛 Root Cause

#	Problem	Fix Applied
1	No rate limiting on /login — attacker could send unlimited password guesses	Added loginLimiter (10 req/15min)
2	No rate limiting on /signup — spam/fake account creation possible	Added signupLimiter (20 req/15min)
3	No rate limiting on /forgot-password and /reset-password — OTP spam possible	Added forgotPasswordLimiter (5 req/15min)
4	No rate limiting on /refresh-token — token abuse possible	Added refreshTokenLimiter (30 req/15min)

---

✅ Changes Made

New Files

File	Purpose
middleware/rateLimiter.js	Dedicated file with all rate limiter instances — loginLimiter, signupLimiter, refreshTokenLimiter, forgotPasswordLimiter

Modified Files

File	What Changed
routes/authRoutes.js	Imported limiters from middleware/rateLimiter.js and applied to /login, /signup, /verify-signup, /forgot-password, /reset-password, /refresh-token

---

🛡️ Rate Limit Configuration

Route	Limiter	Max Requests	Window
POST /login	loginLimiter	10	15 min
POST /signup	signupLimiter	20	15 min
POST /verify-signup	signupLimiter	20	15 min
POST /forgot-password	forgotPasswordLimiter	5	15 min
POST /reset-password	forgotPasswordLimiter	5	15 min
POST /refresh-token	refreshTokenLimiter	30	15 min

/logout and /me are already protected by authMiddleware so rate limiting is lower priority for those routes.

---

🧪 Testing Checklist

• POST /login — returns 429 after 10 requests within 15 minutes
• POST /signup — returns 429 after 20 requests within 15 minutes
• POST /forgot-password — returns 429 after 5 requests within 15 minutes
• POST /refresh-token — returns 429 after 30 requests within 15 minutes
• Rate limit response includes success: false and descriptive message
• Normal requests (within limit) work as expected — no regression
• RateLimit-* headers visible in response (standardHeaders: true)
• No console errors on server startup

---

💻 How to Test Locally

# Install dependency
npm install express-rate-limit

# Start server
npm run dev

# Test rate limit (send 11 requests to /login)
for i in {1..11}; do curl -X POST http://localhost:5000/api/auth/login -H "Content-Type: application/json" -d '{"email":"test@test.com","password":"test"}'; done

---

📌 Coding Standards Followed

• Dedicated middleware/rateLimiter.js — separation of concerns, reusable across other route files
• standardHeaders: true — exposes RateLimit-* headers per RFC standard
• legacyHeaders: false — disables deprecated X-RateLimit-* headers
• Descriptive error messages per route for better UX
• No change to existing validation logic or controller functions

[vercel]

Someone is attempting to deploy a commit to the Bhuvansh's projects Team on Vercel.

A member of the Team first needs to authorize it.

[BHUVANSH855]

LGTM, thanks for adding this.