feat: add throttling to user invitation and login endpoints#1565
Conversation
There was a problem hiding this comment.
Pull request overview
This pull request adds rate limiting protection to critical authentication and user management endpoints to prevent abuse and brute-force attacks.
Changes:
- Added throttling to the user login endpoint with a limit of 5 requests per minute (200 in test environment)
- Added throttling to the user invitation endpoint with a limit of 10 requests per minute (200 in test environment)
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| backend/src/entities/user/user.controller.ts | Added imports for Throttle decorator and isTest helper, applied throttling to the login endpoint |
| backend/src/entities/company-info/company-info.controller.ts | Applied throttling to the user invitation endpoint |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| description: 'Login successful.', | ||
| type: TokenExpDs, | ||
| }) | ||
| @Throttle({ default: { limit: isTest() ? 200 : 5, ttl: 60000 } }) |
There was a problem hiding this comment.
The OTP login endpoint (/user/otp/login/) performs authentication and issues tokens similar to the regular login endpoint, but it lacks throttling protection. This endpoint should also be throttled to prevent brute-force attacks on 2FA codes. Consider adding a throttle decorator similar to the regular login endpoint.
| description: 'Login successful.', | ||
| type: TokenExpDs, | ||
| }) | ||
| @Throttle({ default: { limit: isTest() ? 200 : 5, ttl: 60000 } }) |
There was a problem hiding this comment.
The password reset request endpoint (/user/password/reset/request/) can be abused to send spam emails to users. This endpoint should be throttled to prevent abuse. Consider adding a throttle decorator similar to other sensitive endpoints.
No description provided.