[H1] No rate-limit/lockout on the login path #15
Reference in New Issue
Block a user
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Severity: High
Component(s): server
Affected file(s):
server/src/api/auth.rsProblem:
The login path has no rate-limiting or lockout, while machine-enroll already has elaborate protection.
Recommended fix:
Reuse the enroll rate-limiter keyed on
(username.lower(), client_ip)and return 429 after a threshold.Remediation phase: P0
From the 2026-06-05 three-way review (Claude+Gemini+Grok) — see reports/review-2026-06-05/SYNTHESIS-three-way.md (finding H1) and REMEDIATION-PLAN.md (P0).