jubnl ce8d498f2d fix: add independent rate limiter for MFA verification endpoints ...

TOTP brute-force is a realistic attack once a password is compromised:
with no independent throttle, an attacker shared the login budget (10
attempts) across /login, /register, and /mfa/verify-login, and
/mfa/enable had no rate limiting at all.

- Add a dedicated `mfaAttempts` store so MFA limits are tracked
  separately from login attempts
- Introduce `mfaLimiter` (5 attempts / 15 min) applied to both
  /mfa/verify-login and /mfa/enable
- Refactor `rateLimiter()` to accept an optional store parameter,
  keeping all existing call-sites unchanged
- Include mfaAttempts in the periodic cleanup interval

2026-04-01 07:58:29 +02:00

..

public

Merge branch 'perf-test' of https://github.com/jubnl/TREK into dev

2026-03-31 23:10:02 +02:00

src

fix: add independent rate limiter for MFA verification endpoints

2026-04-01 07:58:29 +02:00

.env.example

fix: remove JWT_SECRET env var — server manages it exclusively

2026-04-01 07:58:05 +02:00

package-lock.json

Merge branch 'pr-125'

2026-03-30 23:10:34 +02:00

package.json

Merge branch 'pr-125'

2026-03-30 23:10:34 +02:00

reset-admin.js

Stabilize core: better-sqlite3, versioned migrations, graceful shutdown

2026-03-22 17:52:24 +01:00

tsconfig.json

some fixes

2026-03-30 06:59:24 +02:00