fix(security): replace in-memory rate limiting with persistent DB-backed limiter

- Add LoginAttempt model to Prisma schema with migration - Create rate-limit.ts utility (10 attempts / 15 min window, DB-backed) - Apply rate limiting to login endpoint (replaces in-memory Map) - Apply rate limiting to change-password endpoint (previously unprotected) - Rate limit state survives server restarts and works across multiple instances
2026-05-19 10:10:50 +02:00
parent 45a50dc906
commit f4eedaffe2
5 changed files with 64 additions and 25 deletions
@@ -0,0 +1,7 @@
+CREATE TABLE "LoginAttempt" (
+    "id" TEXT NOT NULL,
+    "key" TEXT NOT NULL,
+    "createdAt" TIMESTAMP(3) NOT NULL DEFAULT CURRENT_TIMESTAMP,
+    CONSTRAINT "LoginAttempt_pkey" PRIMARY KEY ("id")
+);
+CREATE INDEX "LoginAttempt_key_createdAt_idx" ON "LoginAttempt"("key", "createdAt");