jennie/ghostguild-org
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat(security): rate-limit auth/login + auth/verify

Browse source
This commit is contained in:
Jennie Robinson Faber 2026-04-27 11:20:16 +01:00
parent bafe24b778
commit 0eeb3c351f
4 changed files with 194 additions and 6 deletions
Download patch file Download diff file Expand all files Collapse all files

7
server/api/auth/verify.post.js
View file

@ -1,11 +1,18 @@
// server/api/auth/verify.post.js
import { getRequestIP } from 'h3'
import jwt from 'jsonwebtoken'
import Member from '../../models/member.js'
import { validateBody } from '../../utils/validateBody.js'
import { verifyMagicLinkSchema } from '../../utils/schemas.js'
import { setAuthCookie } from '../../utils/auth.js'
import { rateLimit } from '../../utils/rateLimit.js'
export default defineEventHandler(async (event) => {
const ip = getRequestIP(event, { xForwardedFor: true }) || 'unknown'
if (!rateLimit(`auth:verify:ip:${ip}`, { max: 5, windowMs: 3600_000 })) {
throw createError({ statusCode: 429, statusMessage: 'Too many verification attempts' })
}
const { token } = await validateBody(event, verifyMagicLinkSchema)
const config = useRuntimeConfig(event)