security: rate limit POST /api/auth with Rack::Attack

[AjayPAnand]

Description

Add rack-attack with IP-based throttle (5 requests per 20 seconds) on login to mitigate brute-force and credential stuffing. Return 429 JSON with Retry-After when exceeded. Use MemoryStore for throttle counters so limits apply in development as well as production.

Implemented brute-force protection for the login endpoint by adding IP-based throttling on POST /api/auth using [Rack::Attack]. This change mitigates brute-force and credential-stuffing attacks while preserving existing authentication behavior.

Fixes #0.1.9 Sr. No. - Brute Force Vulnerability in Login Endpoint

Changes made

• Added dependency:
  Added gem 'rack-attack' to Gemfile
  Ran bundle install to update Gemfile.lock

• Enabled middleware:
  Added config.middleware.use Rack::Attack in config/application.rb

• Added throttle rules:
  Created config/initializers/rack_attack.rb
  Configured Rack::Attack.cache.store = ActiveSupport::Cache::MemoryStore.new
  Added IP-based throttling for POST /api/auth
  Limit: 5 requests per 20 seconds per IP

• Added custom throttled response:
  Returns HTTP 429 Too Many Requests

JSON response:
{"error":"Too many login attempts. Please try again shortly."}
Includes Retry-After header when available
Added responder compatibility fix:
Updated handling to support Rack::Attack::Request object shape and avoid NoMethodError

Type of change

Please delete options that are not relevant.

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• This change requires a documentation update

How Has This Been Tested?

Manual testing steps

1. Restarted the API server after adding the initializer
2. Used [Burp Suite]
3. Repeater to capture and replay POST /api/auth requests
4. Sent multiple rapid login requests from the same IP/session

Verified:
Requests 1–5 within 20 seconds were processed normally
Request 6+ returned:
HTTP 429 Too Many Requests
JSON error response
Retry-After header

6. Waited more than 20 seconds and confirmed requests were accepted again

Screenshots 1:

Screenshots 2:

• Test A - Verified throttling activates after 5 login attempts within 20 seconds
• Test B - Verified requests are accepted again after the throttle window expires

Checklist:

• My code follows the style guidelines of this project
• I have performed a self-review of my own code
• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation if appropriate
• My changes generate no new warnings
• I have added tests that prove my fix is effective or that my feature works
• I have created or extended unit tests to address my new additions
• New and existing unit tests pass locally with my changes
• Any dependent changes have been merged and published in downstream modules

If you have any questions, please contact @macite or @jakerenzella.

[224599437]

Reviewed and Tested – Working as Expected
I pulled and ran this branch locally and verified the rate-limiting behaviour using Burp Suite Repeater.
Test Results:

Requests 1–5 to POST /api/auth within 20 seconds were processed normally
Request 6+ correctly returned HTTP 429 Too Many Requests with:

JSON body: {"error":"Too many login attempts. Please try again shortly."}
Retry-After header indicating seconds remaining in the throttle window

After waiting for the throttle window to expire, requests were accepted again

Code Review:

rack-attack gem added correctly to Gemfile
Middleware registered in config/application.rb
config/initializers/rack_attack.rb correctly configures MemoryStore, the throttle rule (5 req / 20 sec per IP), and the custom 429 JSON response with Retry-After
No breaking changes to existing authentication behaviour

The implementation effectively mitigates brute-force and credential-stuffing attacks on the login endpoint. LGTM