mirror of
https://github.com/mauriceboe/TREK.git
synced 2026-06-19 13:21:46 +00:00
jubnl
ce8d498f2d
TOTP brute-force is a realistic attack once a password is compromised: with no independent throttle, an attacker shared the login budget (10 attempts) across /login, /register, and /mfa/verify-login, and /mfa/enable had no rate limiting at all. - Add a dedicated `mfaAttempts` store so MFA limits are tracked separately from login attempts - Introduce `mfaLimiter` (5 attempts / 15 min) applied to both /mfa/verify-login and /mfa/enable - Refactor `rateLimiter()` to accept an optional store parameter, keeping all existing call-sites unchanged - Include mfaAttempts in the periodic cleanup interval