TOTP brute-force is a realistic attack once a password is compromised: with no independent throttle, an attacker shared the login budget (10 attempts) across /login, /register, and /mfa/verify-login, and /mfa/enable had no rate limiting at all. - Add a dedicated `mfaAttempts` store so MFA limits are tracked separately from login attempts - Introduce `mfaLimiter` (5 attempts / 15 min) applied to both /mfa/verify-login and /mfa/enable - Refactor `rateLimiter()` to accept an optional store parameter, keeping all existing call-sites unchanged - Include mfaAttempts in the periodic cleanup interval |
||
|---|---|---|
| .. | ||
| public | ||
| src | ||
| .env.example | ||
| package-lock.json | ||
| package.json | ||
| reset-admin.js | ||
| tsconfig.json | ||