Rate Limiting for Auth & Admin

Why It Matters

Without rate limiting, an attacker can attempt thousands of login requests per second — brute-forcing passwords, testing leaked credentials, or overwhelming your auth infrastructure. The same applies to admin endpoints: unthrottled admin API calls enable automated data extraction and abuse.

In Tenzai's independent testing of 5 AI coding tools, only 1 out of 15 AI-built apps attempted any form of rate limiting — and that implementation was bypassable. Zero out of 15 had security headers configured. AI code generators simply don't add rate limiting because it's not part of the "make it work" checklist.

Priority: P1 — Brute-force attacks are automated and constant. Every public-facing auth endpoint will be targeted.

Affected Stack: Next.js, Supabase, any framework with public API endpoints

---

AUTH-09: Rate Limiting on Auth Endpoints

The Problem

AI tools generate login and registration endpoints that accept unlimited requests with no throttling.

// ❌ No rate limiting — unlimited login attempts
export async function POST(req: Request) {
  const { email, password } = await req.json();
  const { data, error } = await supabase.auth.signInWithPassword({
    email, password
  });
  return Response.json({ data, error });
}

An attacker can script thousands of login attempts per minute, testing leaked password lists against your users' accounts.

The Fix

Add rate limiting at the API route level. Use IP-based and email-based throttling.

// ✅ Rate-limited auth endpoint
import { Ratelimit } from '@upstash/ratelimit';
import { Redis } from '@upstash/redis';

const authLimiter = new Ratelimit({
  redis: Redis.fromEnv(),
  limiter: Ratelimit.slidingWindow(5, '15 m'), // 5 attempts per 15 min
});

export async function POST(req: Request) {
  const ip = req.headers.get('x-forwarded-for') ?? '127.0.0.1';
  const { success } = await authLimiter.limit(`auth:${ip}`);

  if (!success) {
    return new Response('Too many attempts. Try again later.', { status: 429 });
  }

  const { email, password } = await req.json();
  // ... proceed with auth
}

Recommended limits:

• Login: 5 attempts per 15 minutes per IP
• Registration: 3 attempts per hour per IP
• Password reset: 3 requests per hour per email
• Email verification: 5 requests per hour per email

---

ADM-14: Rate Limiting on Admin Endpoints

Admin endpoints need stricter rate limiting than regular endpoints. An admin API without throttling allows automated data extraction — an attacker with stolen admin credentials can export your entire database before you detect the breach.

// ✅ Stricter limits for admin endpoints
const adminLimiter = new Ratelimit({
  redis: Redis.fromEnv(),
  limiter: Ratelimit.slidingWindow(30, '1 m'), // 30 requests per minute
});

References

• OWASP: Brute Force Attack Prevention
• Upstash Rate Limiting

---

Related Checks

• Server-Side Auth for Protected Routes — AUTH-04
• MFA for Admin Roles — ADM-13
• Card Testing Protection — BIL-23

---

Is your app safe? Run Free Scan →