From a2368889f5a4f4d29ec2caca62ff9b22c09ab4ed Mon Sep 17 00:00:00 2001 From: Brandon Corbett Date: Fri, 3 Jul 2026 17:34:33 +0200 Subject: [PATCH] fix(registration): rate limit the register endpoint Apply the shared per-IP and per-identity OTP limiters to POST /registration/register, which previously had no rate limiting. This closes an unthrottled path for registration/OTP spam and account enumeration. The peer /registration/phone route already used these limiters. --- .changeset/registration-rate-limit.md | 9 +++++++++ src/routes/registration.routes.ts | 1 + 2 files changed, 10 insertions(+) create mode 100644 .changeset/registration-rate-limit.md diff --git a/.changeset/registration-rate-limit.md b/.changeset/registration-rate-limit.md new file mode 100644 index 0000000..c761d64 --- /dev/null +++ b/.changeset/registration-rate-limit.md @@ -0,0 +1,9 @@ +--- +'seamless-auth-api': patch +--- + +Rate limit the `POST /registration/register` endpoint. + +Registration now applies the same per-IP and per-identity limiters already used by +the OTP and phone-registration routes. This closes an unthrottled path that allowed +registration/OTP spam and account enumeration against the endpoint. diff --git a/src/routes/registration.routes.ts b/src/routes/registration.routes.ts index 3964e79..82736e4 100644 --- a/src/routes/registration.routes.ts +++ b/src/routes/registration.routes.ts @@ -26,6 +26,7 @@ registrationRouter.post( { summary: 'Register a new user', tags: ['Registration'], + middleware: [otpIpLimiter, otpIdentityLimiter], schemas: { body: RegistrationRequestSchema,