Skip to content

nsc-events-fullstack_32_179-jwt-rate-limit-authentication#181

Open
NahomAlemu wants to merge 2 commits intomainfrom
bug-179-jwt-rate-limit-authentication
Open

nsc-events-fullstack_32_179-jwt-rate-limit-authentication#181
NahomAlemu wants to merge 2 commits intomainfrom
bug-179-jwt-rate-limit-authentication

Conversation

@NahomAlemu
Copy link
Copy Markdown
Contributor

@NahomAlemu NahomAlemu commented Mar 11, 2026

Summary & Changes 📃

  • Resolves: Issue: Weak JWT Secret & Missing Rate Limiting on Authentication Endpoints #179

  • Summary: Implement strong JWT secret and rate limiting on authentication endpoints

    • 🔨 Fixes weak JWT secret ("secret") that could be brute-forced, and adds rate limiting to prevent credential stuffing and
      brute-force attacks on auth endpoints
    • 👀 Authentication endpoints now reject excessive requests (429 Too Many Requests) and JWT tokens are signed with a
      cryptographically secure 64-character secret
    • 🗨️ Uses @nestjs/throttler package for rate limiting with per-endpoint configuration
    • Changes:
      • ✅ Generated strong 64-character JWT secret using openssl rand -hex 32
      • ✅ Installed and configured @nestjs/throttler in app.module.ts
      • ✅ Applied rate limiting to auth endpoints:
        • Login: 5 attempts/minute per IP
        • Signup: 3 attempts/minute per IP
        • Forgot Password: 3 attempts/minute per IP
        • Reset Password: 3 attempts/minute per IP
      • ✅ Updated .env.example with instructions for generating secure secrets
      • ✅ Updated auth controller tests to include ThrottlerModule
      • 🛠️ No breaking changes - existing functionality unchanged
      • 📝 Rate limit responses return HTTP 429 with retry information

    How to Test 🧪

    1. Steps to Reproduce:
    • Step 1: Start the backend server with npm run start:dev
    • Step 2: Attempt to login more than 5 times within 1 minute using an incorrect password
    • Step 3: Observe the 429 response after exceeding the limit
    1. Expected Behavior: After 5 failed login attempts in 1 minute, subsequent requests return 429 Too Many Requests

Checklist ✅

  • I have tested this PR locally and it works as expected.
  • This PR resolves an issue (Resolves #issue-number).
  • Reviewers, assignees(self), tags, and labels are correctly assigned.
  • Squash commits and enable auto-merge if approved.

@NahomAlemu NahomAlemu self-assigned this Mar 11, 2026
@NahomAlemu NahomAlemu added the security Vulnerability patches, encryption, or access control label Mar 11, 2026
@github-actions
Copy link
Copy Markdown

github-actions bot commented Mar 11, 2026

✅ Full E2E Test Results

Running full test suite (critical files changed)

Status Count
✅ Passed 47
❌ Failed 0
📊 Total 47

View detailed report

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jmathew12 jmathew12 Awaiting requested review from jmathew12

@IsaacJrTypes IsaacJrTypes Awaiting requested review from IsaacJrTypes

@taylorpapke taylorpapke Awaiting requested review from taylorpapke

@katrina-l-hill katrina-l-hill Awaiting requested review from katrina-l-hill

@TVW96 TVW96 Awaiting requested review from TVW96

@beimnettes beimnettes Awaiting requested review from beimnettes

At least 2 approving reviews are required to merge this pull request.

Assignees

@NahomAlemu NahomAlemu

Labels

security Vulnerability patches, encryption, or access control

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Issue: Weak JWT Secret & Missing Rate Limiting on Authentication Endpoints

1 participant

@NahomAlemu