Draft: feat: add rate limiting to authentication endpoints (!56) · Merge requests · 44Net Connect / pop-controld · GitLab

Schuyler Erle requested to merge sderle/add-rate-limiting into main Jan 14, 2026

Problem

Authentication endpoints (/login, /register, /forgot) had no rate limiting, enabling credential stuffing and enumeration attacks.

Solution

Added Flask-Limiter with Redis backend (using existing Redis config) to enforce:

/login: 5 requests/minute
/register, /forgot: 3 requests/minute

Includes custom IP detection matching existing proxy header handling and a 429 error page consistent with other error templates.

Service provided by ARDC - www.ardc.net