Skip to content

Security: Implement Rate Limiting on Auth and API Routes #74

Description

@rushikesh-bobade

Problem Statement
Currently, our Supabase/Prisma architecture relies entirely on application-level logic for authentication and API mutations. We have no rate limiting in place for sensitive routes (e.g., /auth/login, /auth/reset-password, /api/insights), leaving the application vulnerable to brute-force attacks and DDOS.

Motivation
To become a production-grade platform, we must protect our backend from malicious scraping and credential stuffing.

Proposed Solution
Implement a lightweight Redis-based or memory-based rate limiter middleware for Remix actions and loaders.

  1. Add a utility function rateLimit(request, limit, windowMs) in app/utils/rate-limit.server.ts.
  2. Apply this utility to app/routes/login-page.tsx, app/routes/signup-page.tsx, and app/routes/reset-password.tsx.

Implementation Notes

  • Since we are deploying to Vercel, memory-based limiters won't share state across serverless functions. We should investigate using @upstash/ratelimit if a Redis instance is available, OR implement a simple IP-based rate limiter using Vercel KV.
  • If Redis is unavailable, fallback to a basic memory cache and clearly document the limitation.

Dependencies

  • None. Can be worked on independently.

Out-of-Scope

  • Do not implement rate limiting on frontend UI components. This is strictly backend middleware.

Acceptance Criteria

  • rateLimit utility function is created.
  • Attempting to login > 5 times in 1 minute throws a 429 Too Many Requests response.
  • The user sees a clear error message: "Too many attempts. Please try again later."

Testing Requirements

  • Add unit tests for the rateLimit function.

Documentation Updates

  • Document the new utility in CONTRIBUTING.md so future developers know how to rate-limit their new API routes.

Metadata

Metadata

Assignees

Labels

ECSoC26Required label for ECSOC Sentinel scoringenhancementNew feature or requestgood-backend+50 XP Bonus

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions