From 056841dc5e2bce2b9ec355396eb59be31ba6808a Mon Sep 17 00:00:00 2001
From: Joshua Ryder <ryderjj89@outlook.com>
Date: Tue, 7 Oct 2025 14:19:25 -0400
Subject: [PATCH] rate-limit fixes

---
 server/api/auth/login.post.ts | 24 ++++++++++++++++--------
 1 file changed, 16 insertions(+), 8 deletions(-)

diff --git a/server/api/auth/login.post.ts b/server/api/auth/login.post.ts
index 7ecda42..e047eb7 100644
--- a/server/api/auth/login.post.ts
+++ b/server/api/auth/login.post.ts
@@ -22,14 +22,6 @@ export default defineEventHandler(async (event) => {
     'cf-connecting-ip': cfConnectingIp,
     'getRequestIP': getRequestIP(event)
   })
-  
-  // Check rate limit: 5 attempts per 15 minutes
-  if (!checkRateLimit(clientIp, 'login', 5, 15)) {
-    throw createError({
-      statusCode: 429,
-      message: 'Too many login attempts. Please try again in 15 minutes.'
-    })
-  }
 
   const body = await readBody(event)
   const { username, password } = body
@@ -44,6 +36,14 @@ export default defineEventHandler(async (event) => {
   const user = getUserByUsername(username.toLowerCase())
 
   if (!user) {
+    // Check rate limit ONLY on failed attempt
+    if (!checkRateLimit(clientIp, 'login', 5, 15)) {
+      console.log(`[LOGIN BLOCKED] Rate limited - Username not found: ${username.toLowerCase()}, IP: ${clientIp}`)
+      throw createError({
+        statusCode: 429,
+        message: 'Too many login attempts. Please try again in 15 minutes.'
+      })
+    }
     console.log(`[LOGIN FAILED] Username not found: ${username.toLowerCase()}, IP: ${clientIp}`)
     throw createError({
       statusCode: 401,
@@ -55,6 +55,14 @@ export default defineEventHandler(async (event) => {
   const passwordMatch = await bcrypt.compare(password, user.password)
 
   if (!passwordMatch) {
+    // Check rate limit ONLY on failed attempt
+    if (!checkRateLimit(clientIp, 'login', 5, 15)) {
+      console.log(`[LOGIN BLOCKED] Rate limited - Invalid password for user: ${username.toLowerCase()}, IP: ${clientIp}`)
+      throw createError({
+        statusCode: 429,
+        message: 'Too many login attempts. Please try again in 15 minutes.'
+      })
+    }
     console.log(`[LOGIN FAILED] Invalid password for user: ${username.toLowerCase()}, IP: ${clientIp}`)
     throw createError({
       statusCode: 401,