Skip to content

fix: add rate limiting to POST /auth/resend-otp (#26)#32

Closed
lvhong0420 wants to merge 1 commit into
voiceyBill:mainfrom
lvhong0420:fix/resend-otp-rate-limit
Closed

fix: add rate limiting to POST /auth/resend-otp (#26)#32
lvhong0420 wants to merge 1 commit into
voiceyBill:mainfrom
lvhong0420:fix/resend-otp-rate-limit

Conversation

@lvhong0420
Copy link
Copy Markdown

@lvhong0420 lvhong0420 commented May 15, 2026

Summary

Fixes #26: Add in-memory rate limiting to POST /auth/resend-otp endpoint.

Problem

The
esendOtpController had no rate limiting, allowing attackers to:

  • Infinitely loop calls with a valid email address
  • Trigger an OTP email on each request
  • Abuse the Resend email sending quota

Solution

  • Added Map<string, number> cooldown tracker at module level (
    esendCooldowns)
  • Each email address is limited to 1 request per 60 seconds
  • Returns HTTP 429 with clear message when limit exceeded
  • Lightweight in-memory implementation, no Redis dependency needed

Changes

  • File: src/controllers/auth.controller.ts
    • Added const resendCooldowns = new Map<string, number>() after imports (line 21)
    • Added cooldown check + update logic inside
      esendOtpController (lines 69-78)

If you need more quick fixes like this, feel free to reach out!

@vercel
Copy link
Copy Markdown

vercel Bot commented May 15, 2026

@lvhong0420 is attempting to deploy a commit to the voiceyBill's projects Team on Vercel.

A member of the Team first needs to authorize it.

@github-actions github-actions Bot added the backend Changes backend source code label May 15, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

backend Changes backend source code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@lvhong0420 @ahadalireach