Merge pull request #221 from Harkiratcodess/fix/otp-rate-limiting

fix: add rate limiting to OTP verify-email and resend-otp endpoints

Author: Sachinchaurasiya360

server/src/module/auth/auth.routes.ts

@@ -2,6 +2,18 @@ import { Router } from "express";
 import { AuthController } from "./auth.controller.js";
 import { AuthService } from "./auth.service.js";
 import { authMiddleware } from "../../middleware/auth.middleware.js";
+import rateLimit from "express-rate-limit";
+
+const createOtpRateLimit = (max: number, message: string) => rateLimit({
+  windowMs: 15 * 60 * 1000,
+  max,
+  message: { message },
+  standardHeaders: true,
+  legacyHeaders: false,
+});
+
+const verifyEmailRateLimit = createOtpRateLimit(5, "Too many attempts, please try again after 15 minutes");
+const resendOtpRateLimit = createOtpRateLimit(3, "Too many resend attempts, please try again after 15 minutes");
 
 const authService = new AuthService();
 const authController = new AuthController(authService);
@@ -11,8 +23,8 @@ export const authRouter = Router();
 authRouter.post("/register", (req, res) => authController.register(req, res));
 authRouter.post("/login", (req, res) => authController.login(req, res));
 authRouter.post("/google", (req, res) => authController.googleAuth(req, res));
-authRouter.post("/verify-email", (req, res) => authController.verifyEmail(req, res));
-authRouter.post("/resend-otp", (req, res) => authController.resendOtp(req, res));
+authRouter.post("/verify-email", verifyEmailRateLimit, (req, res) => authController.verifyEmail(req, res));
+authRouter.post("/resend-otp", resendOtpRateLimit, (req, res) => authController.resendOtp(req, res));
 authRouter.post("/forgot-password", (req, res) => authController.forgotPassword(req, res));
 authRouter.post("/reset-password", (req, res) => authController.resetPassword(req, res));
 authRouter.post("/logout", (req, res) => authController.logout(req, res));