feat: Add rate-limiting to endpoints #47
Description
Problem
We currently use a client-side rate limiter (localStorage-based) to throttle auth actions like signup, login, and password reset. This is helpful for UX, but it provides no real abuse protection, since it can be bypassed by:
- Clearing browser storage
- Using incognito
- Calling Firebase APIs directly
- Using scripts or bots
As a result, our auth endpoints are still vulnerable to:
- Account enumeration
- Brute-force login attempts
- Email bombing via password reset
- Signup abuse
Goal
Add server-side rate limiting that enforces limits regardless of client behavior. This should protect:
- signUp
- signIn
- sendPasswordResetEmail
- any other auth-triggering endpoints
Recommended approach
Implement rate limiting in either:
- API routes/server actions
- Firebase App Check + per-IP/per-identifier limits (needs some research, but I think Firebase already allows for built-in limiting)
Limits should be applied per IP address most likely, maybe via email if needed. Let's start w/ IP though.
Example policy:
- 5 failed logins per email per 10 minutes
- 3 password resets per email per hour
- 5 signups per IP per hour
Feel free to implement wtv policy you feel fits best though, I'm not dead set on this policy or anythin!