--- issue: 029 title: "No brute-force protection on delivery code verification endpoint — 900,000 combinations are enumerable" severity: major domain: Delivery labels: [security, bug, backend, major, brute-force] status: resolved resolved: 2026-05-29 fix: "Added deliveryCodeVerifyLimiter (express-rate-limit: 10 attempts per 15 min per requestId+userId) to POST /delivery-code/verify in marketplace/routes.ts." status: open created: 2026-05-29 source: Doc vs Code Audit 2026-05-29 --- # 🟠 No brute-force protection on delivery code verification endpoint — 900,000 combinations are enumerable **Severity:** major **Domain:** Delivery **Labels:** security, bug, backend, major, brute-force ## Description The 6-digit delivery code verify endpoint (routes.ts lines 2790-2847) has no rate limiting, lockout counter, or attempt count maximum. Failed attempts are recorded to deliveryInfo.deliveryAttempts[] but no enforcement exists. A malicious actor could attempt all 900,000 combinations without being blocked. ## Current Behavior Unlimited guesses are permitted. No rate limiting or lockout is applied to the verify endpoint. ## Expected Behavior After N failed attempts (e.g., 5), the endpoint should return 429 or lock the code for a period. The deliveryAttempts[] array already tracks attempts — enforcement just needs to be added. ## Affected Files - `backend/src/routes/routes.ts` - `backend/src/services/deliveryService.ts` ## References - [Doc vs Code Audit Report](../09%20-%20Audits/Doc%20vs%20Code%20Audit%20Report%20-%202026-05-29.md)