Files
nick-doc/Issues/ISSUE-054-login-rate-limiter-counts-all-attempts-not-only-failures.md
Siavash Sameni dceaf82934 audit: 2026-05-30 full-codebase audit — report, issues, docs, runbooks
Full-codebase-audit 2026-05-30 outputs:
- Audit report: 09 - Audits/Full Codebase Audit - 2026-05-30.md
- 81 issue files ISSUE-055..135 (decisions + 1 skipped no-brainer).
- Scanner docs from scratch (was zero): architecture, data model, API ref, payment
  flow, operations runbook + repo README.
- Doc-sync updates across API reference, data models, flows, design system.
- Secret Rotation Runbook (08 - Operations) for the exposed credentials.
- Reusable workflow guide (07 - Development) + .claude/workflows/full-codebase-audit.js.

Issues remain status:open intentionally — the code fixes are uncommitted-then-committed
working-tree changes per repo and aren't "resolved" until merged/deployed.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-05-30 18:48:04 +04:00

1.7 KiB

issue, title, severity, domain, status, resolved, fix, labels, status, created, source
issue title severity domain status resolved fix labels status created source
054 Login rate limiter counts all attempts (not just failures) — users locked out after correct logins major Authentication resolved 2026-05-29 Split checkLoginAttempts into read-only check and new incrementFailedLoginAttempt. authController now only calls increment on failed login paths, not on all attempts.
backend
bug
open 2026-05-29 Doc vs Code Audit 2026-05-29

🟠 Login rate limiter counts all attempts (not just failures) — users locked out after correct logins

Severity: major Domain: Authentication Labels: backend, bug

Description

rateLimitService.checkLoginAttempts() calls checkLimit()redisService.incr, incrementing the counter on every login invocation, before password comparison. The counter only resets after a fully successful login. So 5 total attempts within 15 min (any mix of correct/incorrect passwords) triggers the lockout — not 5 failures as the docs imply.

Current Behavior

5 total login attempts within 15 minutes → 429 TOO_MANY_ATTEMPTS, even if some attempts used the correct password.

Expected Behavior

The counter should increment only on a failed password comparison, not on every attempt. Otherwise document the actual behaviour so UX warns users appropriately.

Affected Files

  • backend/src/services/auth/rateLimitService.tscheckLoginAttempts / checkLimit
  • backend/src/controllers/authController.ts — move the increment to after password comparison

References