fix(security #6): add rate limiting to POST /api/auth/login

Uses express-rate-limit@6 (pinned for Node 12 dev compat; Node 18 in prod container is unaffected). Limits each IP to 10 attempts per 15-minute window. Returns 429 with a safe error message on breach.
2026-05-16 16:18:34 +01:00
parent 8f96a5f296
commit 1eadb30481
3 changed files with 38 additions and 13 deletions
--- a/package-lock.json
+++ b/package-lock.json
@@ -1,12 +1,12 @@
 {
-  "name": "media-download-dashboard",
-  "version": "1.0.0",
+  "name": "sofarr",
+  "version": "0.1.4",
  "lockfileVersion": 2,
  "requires": true,
  "packages": {
    "": {
-      "name": "media-download-dashboard",
-      "version": "1.0.0",
+      "name": "sofarr",
+      "version": "0.1.4",
      "license": "MIT",
      "dependencies": {
        "axios": "^1.6.0",
@@ -14,6 +14,7 @@
        "cors": "^2.8.5",
        "dotenv": "^16.3.1",
        "express": "^4.18.2",
+        "express-rate-limit": "^6.7.0",
        "node-cron": "^3.0.3"
      },
      "devDependencies": {
@@ -623,6 +624,17 @@
        "url": "https://opencollective.com/express"
      }
    },
+    "node_modules/express-rate-limit": {
+      "version": "6.7.0",
+      "resolved": "https://registry.npmjs.org/express-rate-limit/-/express-rate-limit-6.7.0.tgz",
+      "integrity": "sha512-vhwIdRoqcYB/72TK3tRZI+0ttS8Ytrk24GfmsxDXK9o9IhHNO5bXRiXQSExPQ4GbaE5tvIS7j1SGrxsuWs+sGA==",
+      "engines": {
+        "node": ">= 12.9.0"
+      },
+      "peerDependencies": {
+        "express": "^4 || ^5"
+      }
+    },
    "node_modules/fill-range": {
      "version": "7.1.1",
      "resolved": "https://registry.npmjs.org/fill-range/-/fill-range-7.1.1.tgz",
@@ -2124,6 +2136,12 @@
        "vary": "~1.1.2"
      }
    },
+    "express-rate-limit": {
+      "version": "6.7.0",
+      "resolved": "https://registry.npmjs.org/express-rate-limit/-/express-rate-limit-6.7.0.tgz",
+      "integrity": "sha512-vhwIdRoqcYB/72TK3tRZI+0ttS8Ytrk24GfmsxDXK9o9IhHNO5bXRiXQSExPQ4GbaE5tvIS7j1SGrxsuWs+sGA==",
+      "requires": {}
+    },
    "fill-range": {
      "version": "7.1.1",
      "resolved": "https://registry.npmjs.org/fill-range/-/fill-range-7.1.1.tgz",