nanodrop

brendan/nanodrop

Fork 0

Commit Graph

Author	SHA1	Message	Date
Brendan Chen	bbd292c085	feat(auth): wire lockout, rate-limit, and constant-time login into both routes All checks were successful Deploy to Homelab / deploy (push) Successful in 18s Details Both POST /login (HTML form) and POST /api/v1/auth/login now flow through the shared attemptLogin() handler. Locked accounts respond with 401 + Retry-After (generic body "Invalid credentials" / "Invalid username or password") so attackers can't use lockout state as a username-existence oracle. @fastify/rate-limit registered with global=false; only the two login routes opt in via per-route rateLimit config. File uploads and downloads keep full throughput. Custom errorResponseBuilder logs AUTH_RATE_LIMITED fire-and-forget so fail2ban can pick it up. createTestApp now accepts Partial<Config> overrides so integration tests can dial thresholds down without env-var mutation.	2026-05-03 03:41:51 -07:00

Author

SHA1

Message

Date

Brendan Chen

bbd292c085

feat(auth): wire lockout, rate-limit, and constant-time login into both routes

Deploy to Homelab / deploy (push) Successful in 18s

Details

Both POST /login (HTML form) and POST /api/v1/auth/login now flow through
the shared attemptLogin() handler. Locked accounts respond with 401 +
Retry-After (generic body "Invalid credentials" / "Invalid username or
password") so attackers can't use lockout state as a username-existence
oracle.

@fastify/rate-limit registered with global=false; only the two login
routes opt in via per-route rateLimit config. File uploads and downloads
keep full throughput. Custom errorResponseBuilder logs AUTH_RATE_LIMITED
fire-and-forget so fail2ban can pick it up.

createTestApp now accepts Partial<Config> overrides so integration tests
can dial thresholds down without env-var mutation.

2026-05-03 03:41:51 -07:00

1 Commits