From 08df851970466a4a923a0599a34077e7d6f6838a Mon Sep 17 00:00:00 2001
From: spinline <bilal.karatatr.@gmail.com>
Date: Sun, 8 Feb 2026 15:54:54 +0300
Subject: [PATCH] =?UTF-8?q?feat:=20login=20rate=20limit=20i=C3=A7in=20fron?=
 =?UTF-8?q?tend=20uyar=C4=B1=20mesaj=C4=B1=20ve=20IP=20bazl=C4=B1=20limit?=
 =?UTF-8?q?=20aktif=20edildi?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 backend/src/rate_limit.rs             | 16 +++++++++-------
 frontend/src/components/auth/login.rs |  2 ++
 2 files changed, 11 insertions(+), 7 deletions(-)

diff --git a/backend/src/rate_limit.rs b/backend/src/rate_limit.rs
index c3f0c00..56ae822 100644
--- a/backend/src/rate_limit.rs
+++ b/backend/src/rate_limit.rs
@@ -2,14 +2,16 @@ use governor::clock::QuantaInstant;
 use governor::middleware::NoOpMiddleware;
 use tower_governor::governor::GovernorConfig;
 use tower_governor::governor::GovernorConfigBuilder;
-use tower_governor::key_extractor::GlobalKeyExtractor;
+use tower_governor::key_extractor::SmartIpKeyExtractor;
 
-pub fn get_login_rate_limit_config() -> GovernorConfig<GlobalKeyExtractor, NoOpMiddleware<QuantaInstant>> {
-    // GLOBAL TEST: Kim olursa olsun 2 denemeden sonra 30 saniye bloklanır.
+pub fn get_login_rate_limit_config() -> GovernorConfig<SmartIpKeyExtractor, NoOpMiddleware<QuantaInstant>> {
+    // Katı limitler:
+    // Başlangıçta 3 hak. 4. denemede bloklanır.
+    // Her yeni hak için 20 saniye bekleme süresi.
     GovernorConfigBuilder::default()
-        .key_extractor(GlobalKeyExtractor)
-        .per_second(30) 
-        .burst_size(2)
+        .key_extractor(SmartIpKeyExtractor)
+        .per_second(20) 
+        .burst_size(3)
         .finish()
         .unwrap()
-}
+}
\ No newline at end of file
diff --git a/frontend/src/components/auth/login.rs b/frontend/src/components/auth/login.rs
index 604155b..45e2de0 100644
--- a/frontend/src/components/auth/login.rs
+++ b/frontend/src/components/auth/login.rs
@@ -41,6 +41,8 @@ pub fn Login() -> impl IntoView {
                         logging::log!("Login successful, redirecting...");
                         // Force a full reload to re-run auth checks in App.rs
                         let _ = window().location().set_href("/");
+                    } else if resp.status() == 429 {
+                        set_error.set(Some("Çok fazla başarısız deneme yaptınız. Lütfen bir süre bekleyip tekrar deneyin.".to_string()));
                     } else {
                         let text = resp.text().await.unwrap_or_default();
                         logging::error!("Login failed: {}", text);