fix(plugin-auth): reduce password rate limit aggressiveness and reset limits on password change

[kingston]

Summary

• Reduce password rate limiting from aggressive defaults to 15 attempts/hour per IP and 10 consecutive failures/hour per account
• Reset rate limit counters when a user successfully changes their password
• Fix admin layout design and auth form validation messages

Details

Backend (plugin-auth):

• user-password.service.ts: Relaxed rate limit thresholds and added limit reset on password change
• password-reset.service.ts: Added rate limit reset after successful password reset
• password-reset.mutations.ts: Minor schema adjustments

Frontend (auth routes + admin layout):

• Login, register, forgot-password, and reset-password routes: improved validation messages and error handling
• Admin layout: design fixes

Generator templates + examples:

• Updated corresponding templates in plugin-auth and react-generators
• Synced changes to blog-with-auth and todo-with-better-auth examples

Testing

• Manually tested login rate limiting with new thresholds
• Verified rate limits reset after password change/reset

Summary by CodeRabbit

Release Notes

• New Features

  • Login rate limits are now reset after a successful password reset, improving account recovery experience.
  • Enhanced password validation error messages to guide users more clearly.

• Bug Fixes

  • Adjusted password rate limiting thresholds for improved accessibility and user experience.
  • Updated error messaging to encourage password reset when login attempts are rate limited.

• Documentation

  • Added changeset entry for authentication package updates.

[changeset-bot]

🦋 Changeset detected

Latest commit: fb38c9a

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 24 packages

Name	Type
@baseplate-dev/plugin-auth	Patch
@baseplate-dev/project-builder-common	Patch
@baseplate-dev/project-builder-cli	Patch
@baseplate-dev/create-project	Patch
@baseplate-dev/code-morph	Patch
@baseplate-dev/core-generators	Patch
@baseplate-dev/fastify-generators	Patch
@baseplate-dev/project-builder-dev	Patch
@baseplate-dev/project-builder-lib	Patch
@baseplate-dev/project-builder-server	Patch
@baseplate-dev/project-builder-test	Patch
@baseplate-dev/project-builder-web	Patch
@baseplate-dev/react-generators	Patch
@baseplate-dev/sync	Patch
@baseplate-dev/tools	Patch
@baseplate-dev/ui-components	Patch
@baseplate-dev/utils	Patch
@baseplate-dev/plugin-ai	Patch
@baseplate-dev/plugin-email	Patch
@baseplate-dev/plugin-observability	Patch
@baseplate-dev/plugin-payments	Patch
@baseplate-dev/plugin-queue	Patch
@baseplate-dev/plugin-rate-limit	Patch
@baseplate-dev/plugin-storage	Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[coderabbitai]

Caution

Review failed

Pull request was closed or merged during review

📝 Walkthrough

Walkthrough

The PR reduces password rate limiting aggressiveness by updating thresholds to 15 attempts/hour per IP and 10 consecutive failures/hour, introduces rate limit reset functionality after successful password resets, and enhances form validation with custom user-facing error messages across authentication routes and admin UI layouts.

Changes

Cohort / File(s)	Summary
Release Documentation .changeset/less-aggressive-password-rate-limits.md	Changeset entry for patch release documenting reduced rate limit thresholds, rate limit reset after password reset, and enhanced error messaging.
Admin Layout Components examples/blog-with-auth/apps/admin/src/components/layouts/admin-layout.tsx, examples/todo-with-better-auth/apps/admin/src/components/layouts/admin-layout.tsx, packages/react-generators/src/generators/admin/admin-layout/templates/components/layouts/admin-layout.tsx	Restructure layouts to use SidebarInset wrapper, inject CSS custom properties for --sidebar-width and --header-height, adjust header height utility classes, and reorganize main content area with container query utilities.
Admin Home Page Padding examples/blog-with-auth/apps/admin/src/routes/admin/index.tsx, examples/todo-with-better-auth/apps/admin/src/routes/admin/index.tsx, packages/react-generators/src/generators/admin/admin-home/templates/routes/index.tsx	Add p-4 padding class to root container alongside existing space-y-4.
Form Validation Messages examples/blog-with-auth/apps/admin/src/routes/auth_/forgot-password.tsx, examples/blog-with-auth/apps/admin/src/routes/auth_/register.tsx, examples/blog-with-auth/apps/admin/src/routes/auth_/reset-password.tsx, plugins/plugin-auth/src/local-auth/core/generators/auth-routes/templates/routes/auth_/...	Update Zod schemas with custom user-facing validation error messages for email, name, and password fields.
Login Form Validation & Error Handling examples/blog-with-auth/apps/admin/src/routes/auth_/login.tsx, plugins/plugin-auth/src/local-auth/core/generators/auth-routes/templates/routes/auth_/login.tsx	Add custom password validation messages and handle new login-ip-rate-limited and login-consecutive-fails-blocked error codes by clearing password field and displaying rate-limit error.
Password Reset Services examples/blog-with-auth/apps/backend/src/modules/accounts/auth/password/services/password-reset.service.ts, plugins/plugin-auth/src/local-auth/core/generators/auth-email-password/templates/module/services/password-reset.service.ts	Extend completePasswordReset to accept context parameter and invoke resetLoginRateLimits after successful password reset.
Password Reset Mutations examples/blog-with-auth/apps/backend/src/modules/accounts/auth/password/schema/password-reset.mutations.ts, plugins/plugin-auth/src/local-auth/core/generators/auth-email-password/templates/module/schema/password-reset.mutations.ts	Update resolver signature to accept and pass context to completePasswordReset.
User Password Service & Rate Limiting examples/blog-with-auth/apps/backend/src/modules/accounts/auth/password/services/user-password.service.ts, plugins/plugin-auth/src/local-auth/core/generators/auth-email-password/templates/module/services/user-password.service.ts	Update rate limiter configuration (login-ip: 15 points/1h, login-consecutive-fails: 10 points/1h), refactor IP rate limit checking to use consume() with explicit error throw, update error messages to encourage password reset, and add resetLoginRateLimits function.
Tailwind Template Configuration packages/react-generators/src/generators/core/react-tailwind/extractor.json	Reorder TPL_DARK_COLORS before TPL_GLOBAL_STYLES in JSON structure.
Auth Routes Generator plugins/plugin-auth/src/local-auth/core/generators/auth-routes/auth-routes.generator.ts	Update generated validation schema strings to include custom error messages for email, name, and password fields.

Sequence Diagram(s)

sequenceDiagram
    participant User
    participant Client
    participant AuthAPI
    participant RateLimiter
    participant PasswordService
    
    User->>Client: 1. Attempt login with incorrect password
    Client->>AuthAPI: POST /login (email, password)
    AuthAPI->>RateLimiter: Check consecutive-fails limit
    RateLimiter-->>AuthAPI: Blocked (10 attempts/hour exceeded)
    AuthAPI-->>Client: login-consecutive-fails-blocked error
    Client->>User: Display "Too many failed attempts, reset password"
    
    User->>Client: 2. Submit password reset form
    Client->>AuthAPI: POST /reset-password (token, newPassword)
    AuthAPI->>PasswordService: completePasswordReset(token, newPassword, context)
    PasswordService->>RateLimiter: resetLoginRateLimits(email, ip)
    RateLimiter->>RateLimiter: Delete rate limit counters
    RateLimiter-->>PasswordService: Success
    PasswordService-->>AuthAPI: Password reset complete
    AuthAPI-->>Client: Success response
    
    User->>Client: 3. Attempt login with new password
    Client->>AuthAPI: POST /login (email, newPassword)
    AuthAPI->>RateLimiter: Check rate limits (now reset)
    RateLimiter-->>AuthAPI: Allowed
    AuthAPI-->>Client: Login successful

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Possibly related PRs

• feat: Support email verification and reset password flows #759 — Introduces the password-reset and user-password service infrastructure that this PR extends with context threading and rate limit reset functionality.

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 25.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The PR title clearly and accurately summarizes the main changes: reducing password rate limit aggressiveness and resetting limits on password change, which are the core objectives of this changeset.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch kingston/eng-1144-less-aggressive-password-rate-limits-and-reset-limit-after

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}