fix(security): replace in-memory rate limiting with persistent DB-backed limiter
- Add LoginAttempt model to Prisma schema with migration - Create rate-limit.ts utility (10 attempts / 15 min window, DB-backed) - Apply rate limiting to login endpoint (replaces in-memory Map) - Apply rate limiting to change-password endpoint (previously unprotected) - Rate limit state survives server restarts and works across multiple instances
This commit is contained in:
@@ -255,3 +255,11 @@ model AuditLog {
|
||||
metadata Json?
|
||||
createdAt DateTime @default(now())
|
||||
}
|
||||
|
||||
model LoginAttempt {
|
||||
id String @id @default(cuid())
|
||||
key String // IP address or identifier
|
||||
createdAt DateTime @default(now())
|
||||
|
||||
@@index([key, createdAt])
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user