Merge pull request #37 from fuzziecoder/codex/fix-common-backend-issues-and-create-pr

backend: add login rate limiting to mitigate brute-force attempts

Author: fuzziecoder

backend/README.md

@@ -24,6 +24,16 @@ Server starts at `http://localhost:4000` by default.
 - Passwords are stored as salted `scrypt` hashes (not plaintext).
 - Legacy plaintext user passwords are auto-migrated to hashed values on successful login.
 
+### Issue #29: Protect login endpoint from brute-force attempts
+
+- Login is now rate-limited per `IP + username` key.
+- Defaults: 5 failed attempts within 15 minutes triggers a 15 minute temporary block (`429`).
+- Configure via env vars:
+  - `LOGIN_RATE_LIMIT_MAX_ATTEMPTS`
+  - `LOGIN_RATE_LIMIT_WINDOW_MS`
+  - `LOGIN_RATE_LIMIT_BLOCK_MS`
+
+
 ## Available endpoints
 
 - `GET /api/health`

backend/server.js

@@ -4,6 +4,60 @@ import { database, dbPath } from './db.js';
 
 const port = Number(process.env.PORT || 4000);
 
+const LOGIN_RATE_LIMIT_MAX_ATTEMPTS = Number(process.env.LOGIN_RATE_LIMIT_MAX_ATTEMPTS || 5);
+const LOGIN_RATE_LIMIT_WINDOW_MS = Number(process.env.LOGIN_RATE_LIMIT_WINDOW_MS || 15 * 60 * 1000);
+const LOGIN_RATE_LIMIT_BLOCK_MS = Number(process.env.LOGIN_RATE_LIMIT_BLOCK_MS || 15 * 60 * 1000);
+const loginAttempts = new Map();
+
+const getLoginKey = (req, username) => {
+  const forwardedFor = req.headers['x-forwarded-for'];
+  const firstForwardedIp = Array.isArray(forwardedFor)
+    ? forwardedFor[0]
+    : typeof forwardedFor === 'string'
+      ? forwardedFor.split(',')[0]
+      : '';
+  const remoteIp = firstForwardedIp?.trim() || req.socket?.remoteAddress || 'unknown-ip';
+  return `${remoteIp}:${username}`;
+};
+
+const getRateLimitState = (key) => {
+  const now = Date.now();
+  const existing = loginAttempts.get(key);
+
+  if (!existing) {
+    const state = { count: 0, windowStart: now, blockedUntil: 0 };
+    loginAttempts.set(key, state);
+    return state;
+  }
+
+  if (existing.blockedUntil > 0 && existing.blockedUntil <= now) {
+    existing.count = 0;
+    existing.windowStart = now;
+    existing.blockedUntil = 0;
+  }
+
+  if (now - existing.windowStart > LOGIN_RATE_LIMIT_WINDOW_MS) {
+    existing.count = 0;
+    existing.windowStart = now;
+  }
+
+  return existing;
+};
+
+const clearRateLimitState = (key) => {
+  loginAttempts.delete(key);
+};
+
+const recordFailedLoginAttempt = (key) => {
+  const now = Date.now();
+  const state = getRateLimitState(key);
+  state.count += 1;
+
+  if (state.count >= LOGIN_RATE_LIMIT_MAX_ATTEMPTS) {
+    state.blockedUntil = now + LOGIN_RATE_LIMIT_BLOCK_MS;
+  }
+};
+
 const sendJson = (res, statusCode, body) => {
   res.writeHead(statusCode, {
     'Content-Type': 'application/json',
@@ -62,13 +116,28 @@ const server = createServer(async (req, res) => {
         return;
       }
 
+      const loginKey = getLoginKey(req, username);
+      const rateLimitState = getRateLimitState(loginKey);
+      const now = Date.now();
+      if (rateLimitState.blockedUntil > now) {
+        const retryAfterSeconds = Math.ceil((rateLimitState.blockedUntil - now) / 1000);
+        sendJson(res, 429, {
+          error: 'Too many failed login attempts. Please try again later.',
+          retryAfterSeconds,
+        });
+        return;
+      }
+
       const user = database.getUserByCredentials(username, password);
 
       if (!user) {
+        recordFailedLoginAttempt(loginKey);
         sendJson(res, 401, { error: 'invalid credentials' });
         return;
       }
 
+      clearRateLimitState(loginKey);
+
       sendJson(res, 200, { token: `demo-token-${user.id}`, user });
       return;
     } catch (error) {