diff --git a/.changeset/registration-rate-limit.md b/.changeset/registration-rate-limit.md new file mode 100644 index 0000000..c761d64 --- /dev/null +++ b/.changeset/registration-rate-limit.md @@ -0,0 +1,9 @@ +--- +'seamless-auth-api': patch +--- + +Rate limit the `POST /registration/register` endpoint. + +Registration now applies the same per-IP and per-identity limiters already used by +the OTP and phone-registration routes. This closes an unthrottled path that allowed +registration/OTP spam and account enumeration against the endpoint. diff --git a/src/routes/registration.routes.ts b/src/routes/registration.routes.ts index 3964e79..82736e4 100644 --- a/src/routes/registration.routes.ts +++ b/src/routes/registration.routes.ts @@ -26,6 +26,7 @@ registrationRouter.post( { summary: 'Register a new user', tags: ['Registration'], + middleware: [otpIpLimiter, otpIdentityLimiter], schemas: { body: RegistrationRequestSchema,