fix(security #6): add rate limiting to POST /api/auth/login

Uses express-rate-limit@6 (pinned for Node 12 dev compat; Node 18 in prod container is unaffected). Limits each IP to 10 attempts per 15-minute window. Returns 429 with a safe error message on breach.
2026-05-16 16:18:34 +01:00
parent 8f96a5f296
commit 1eadb30481
3 changed files with 38 additions and 13 deletions
--- a/package.json
+++ b/package.json
@@ -9,16 +9,17 @@
    "install:all": "npm install"
  },
  "dependencies": {
-    "express": "^4.18.2",
+    "axios": "^1.6.0",
+    "cookie-parser": "^1.4.6",
    "cors": "^2.8.5",
    "dotenv": "^16.3.1",
-    "axios": "^1.6.0",
-    "node-cron": "^3.0.3",
-    "cookie-parser": "^1.4.6"
+    "express": "^4.18.2",
+    "express-rate-limit": "^6.7.0",
+    "node-cron": "^3.0.3"
  },
  "devDependencies": {
-    "nodemon": "^2.0.22",
-    "concurrently": "^7.6.0"
+    "concurrently": "^7.6.0",
+    "nodemon": "^2.0.22"
  },
  "keywords": [
    "sabnzbd",