🐛 Bug Report: POST /api/auth/login Has No Rate Limiting — Brute Force and bcrypt-Driven DoS Are Both Viable

[Ridanshi]

📜 Description

Summary

The authentication endpoints currently have no rate limiting or request throttling.

This allows:

• unlimited credential stuffing attempts,
• account brute-force attacks,
• and CPU exhaustion through repeated bcrypt operations.

Because bcryptjs runs synchronously in the Node.js process, a relatively small number of concurrent login attempts can significantly degrade server responsiveness.

---

Affected Files

backend/server.js
backend/routes/auth.js
backend/package.json

---

Root Cause

The backend registers:

• no global rate-limiting middleware,
• no auth-specific throttling,
• and no request abuse protection.

Current login flow:

POST /api/auth/login

Every request reaches:

• database lookup,
• password comparison,
• and session handling

with no protection against automated abuse.

The project currently has:

• no express-rate-limit,
• no token bucket logic,
• no per-IP throttling,
• no per-account protection,
• and no temporary lockout behavior.

---

Security Impact

1. Credential Stuffing

An attacker can continuously submit leaked password combinations against known emails with no restriction.

2. CPU Exhaustion / DoS

bcryptjs performs CPU-intensive hashing/comparison operations directly inside the Node.js event loop.

A relatively small number of concurrent requests can:

• block the event loop,
• delay unrelated requests,
• and degrade the entire application.

3. Account Enumeration & Abuse

Unlimited authentication attempts also increase:

• password spraying risk,
• automated enumeration attempts,
• and attack automation feasibility.

---

Reproduction

Run repeated requests against:

POST /api/auth/login

Example:

seq 1 200 | xargs -P 50 -I{} curl -X POST \
  http://localhost:5000/api/auth/login \
  -H "Content-Type: application/json" \
  -d '{"email":"victim@example.com","password":"WrongPass123!"}'

Observe:

• sustained bcrypt activity,
• elevated CPU usage,
• and degraded responsiveness.

---

Proposed Fix

Add strict rate limiting specifically for authentication routes.

Suggested approach:

const rateLimit = require('express-rate-limit');

const loginLimiter = rateLimit({
  windowMs: 15 * 60 * 1000,
  max: 10,
  standardHeaders: true,
  legacyHeaders: false,
});

Apply separate limits for:

• login,
• signup,
• and potentially password-reset flows.

Additional recommendations:

• exponential backoff,
• account-based throttling,
• structured abuse logging.

---

Acceptance Criteria

• authentication routes are rate-limited
• excessive login attempts return HTTP 429
• signup abuse is throttled safely
• rate-limit headers are present
• legitimate login flows remain unaffected
• regression coverage added for throttling behavior

---

Why This Matters

Authentication endpoints are one of the most commonly targeted attack surfaces in production deployments.

Without throttling:

• credential stuffing becomes trivial,
• CPU exhaustion attacks become feasible,
• and the application remains vulnerable to basic automated abuse.

What browsers are you seeing the problem on?

No response

📃 Relevant Screenshots (Links)

No response