Add rate limiting to login endpoint (5 req/sec burst)

backend/Cargo.toml

@@ -39,3 +39,4 @@ axum-extra = { version = "0.10", features = ["cookie"] }
 rand = "0.8"
 anyhow = "1.0.101"
 time = { version = "0.3.47", features = ["serde", "formatting", "parsing"] }
+tower_governor = "0.8.0"

backend/src/main.rs

@@ -32,6 +32,7 @@ use tower_http::{
 };
 use utoipa::OpenApi;
 use utoipa_swagger_ui::SwaggerUi;
+use tower_governor::{governor::GovernorConfigBuilder, GovernorLayer};
 
 #[derive(Clone)]
 pub struct AppState {
@@ -450,12 +451,27 @@ async fn main() {
         }
     });
 
+    // Rate Limit Configuration for Login
+    // Allow 5 login attempts per IP, regenerating 1 token every second (effectively 5 attempts burst, then 1/sec)
+    let governor_conf = Box::new(
+        GovernorConfigBuilder::default()
+            .per_second(1)
+            .burst_size(5)
+            .finish()
+            .unwrap(),
+    );
+
     let app = Router::new()
         .merge(SwaggerUi::new("/swagger-ui").url("/api-docs/openapi.json", ApiDoc::openapi()))
         // Setup & Auth Routes
         .route("/api/setup/status", get(handlers::setup::get_setup_status_handler))
         .route("/api/setup", post(handlers::setup::setup_handler))
-        .route("/api/auth/login", post(handlers::auth::login_handler))
+        .route(
+            "/api/auth/login",
+            post(handlers::auth::login_handler).layer(GovernorLayer {
+                config: Box::leak(governor_conf),
+            })
+        )
         .route("/api/auth/logout", post(handlers::auth::logout_handler))
         .route("/api/auth/check", get(handlers::auth::check_auth_handler))
         // App Routes