Problem
There is no rate limiting / brute-force protection on the sensitive paths: the Yivi disclosure/login flow, the /irma proxy, admin login, DNS-verification triggers, and API-key-authenticated endpoints. An attacker can hammer session creation, guess API keys, or flood the IRMA server and DB.
Why it matters
- Brute-force and abuse protection on auth surfaces.
- Shields the IRMA server and Postgres from request floods.
Proposal
- Add a rate-limiting layer in
src/hooks.server.ts (or a helper applied to sensitive endpoints), keyed by IP + route, with sensible per-route limits for: session/disclosure start, API-key auth failures, DNS verification, and admin login.
- Decide and document the cross-replica story — in-memory limits are per-instance; a shared store (e.g. Redis) is needed for consistent limits across replicas.
- If the intended enforcement point in production is the reverse proxy (nginx), document and configure limits there instead.
Acceptance criteria
Problem
There is no rate limiting / brute-force protection on the sensitive paths: the Yivi disclosure/login flow, the
/irmaproxy, admin login, DNS-verification triggers, and API-key-authenticated endpoints. An attacker can hammer session creation, guess API keys, or flood the IRMA server and DB.Why it matters
Proposal
src/hooks.server.ts(or a helper applied to sensitive endpoints), keyed by IP + route, with sensible per-route limits for: session/disclosure start, API-key auth failures, DNS verification, and admin login.Acceptance criteria
429past a configurable threshold.