security: rate limit POST /api/auth with Rack::Attack

[AjayPAnand]

Description

Add rack-attack with IP-based throttle (5 requests per 20 seconds) on login to mitigate brute-force and credential stuffing. Return 429 JSON with Retry-After when exceeded. Use MemoryStore for throttle counters so limits apply in development as well as production.

Implemented brute-force protection for the login endpoint by adding IP-based throttling on POST /api/auth using [Rack::Attack]. This change mitigates brute-force and credential-stuffing attacks while preserving existing authentication behavior.

Fixes #0.1.9 Sr. No. - Brute Force Vulnerability in Login Endpoint

Changes made

• Added dependency:
  Added gem 'rack-attack' to Gemfile
  Ran bundle install to update Gemfile.lock

• Enabled middleware:
  Added config.middleware.use Rack::Attack in config/application.rb

• Added throttle rules:
  Created config/initializers/rack_attack.rb
  Configured Rack::Attack.cache.store = ActiveSupport::Cache::MemoryStore.new
  Added IP-based throttling for POST /api/auth
  Limit: 5 requests per 20 seconds per IP

• Added custom throttled response:
  Returns HTTP 429 Too Many Requests

JSON response:
{"error":"Too many login attempts. Please try again shortly."}
Includes Retry-After header when available
Added responder compatibility fix:
Updated handling to support Rack::Attack::Request object shape and avoid NoMethodError

Type of change

Please delete options that are not relevant.

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• This change requires a documentation update

How Has This Been Tested?

Manual testing steps

1. Restarted the API server after adding the initializer
2. Used [Burp Suite]
3. Repeater to capture and replay POST /api/auth requests
4. Sent multiple rapid login requests from the same IP/session

Verified:
Requests 1–5 within 20 seconds were processed normally
Request 6+ returned:
HTTP 429 Too Many Requests
JSON error response
Retry-After header

6. Waited more than 20 seconds and confirmed requests were accepted again

Screenshots 1:

Screenshots 2:

• Test A - Verified throttling activates after 5 login attempts within 20 seconds
• Test B - Verified requests are accepted again after the throttle window expires

Checklist:

• My code follows the style guidelines of this project
• I have performed a self-review of my own code
• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation if appropriate
• My changes generate no new warnings
• I have added tests that prove my fix is effective or that my feature works
• I have created or extended unit tests to address my new additions
• New and existing unit tests pass locally with my changes
• Any dependent changes have been merged and published in downstream modules

If you have any questions, please contact @macite or @jakerenzella.