Tech Story: Rate limit authentication endpoints

[GitAddRemote]

Tech Story

As a platform engineer, I want rate limiting applied to authentication endpoints so that brute force and credential stuffing attacks are blocked before they can enumerate valid credentials or exhaust server resources.

Context

POST /auth/login, POST /auth/register, and POST /auth/forgot-password are completely unprotected against automated abuse. An attacker can make unlimited requests to enumerate usernames, brute force passwords, or spam password reset emails. @nestjs/throttler is not currently installed.

Acceptance Criteria

• ThrottlerModule installed and registered globally in AppModule
• POST /auth/login: max 10 requests per minute per IP
• POST /auth/register: max 5 requests per minute per IP
• POST /auth/forgot-password: max 5 requests per minute per IP
• All other routes have a permissive global default (e.g. 100/min) to catch runaway clients
• Throttled requests return 429 Too Many Requests with a Retry-After header
• Rate limit config values are env-configurable (not hardcoded)

Technical Elaboration

• Install @nestjs/throttler
• Register ThrottlerModule.forRootAsync in AppModule reading limits from ConfigService
• Apply ThrottlerGuard as a global guard via APP_GUARD
• Use @Throttle() decorator on specific auth controller methods to override the global default
• Throttle by IP using the default ThrottlerGuard; for production behind a proxy, configure skipIf or trusted proxy header forwarding so X-Forwarded-For is used as the key
• Add env vars: THROTTLE_TTL, THROTTLE_LIMIT, AUTH_THROTTLE_TTL, AUTH_THROTTLE_LIMIT (with sensible defaults)

Notes

• If the app runs behind an nginx/k8s ingress that already rate-limits, this provides defence-in-depth at the application layer
• @SkipThrottle() should be applied to health check endpoints if added later