MFA

2026-01-16 18:04:39 -05:00
parent 63385e049c
commit cf97dffbfb
31 changed files with 4405 additions and 56 deletions
--- a/backend/middleware/rateLimiter.js
+++ b/backend/middleware/rateLimiter.js
@@ -207,6 +207,57 @@ const authRateLimiters = {
    legacyHeaders: false,
    handler: createRateLimitHandler('general'),
  }),
+
+  // Two-Factor Authentication rate limiters
+  twoFactorVerification: rateLimit({
+    windowMs: 15 * 60 * 1000, // 15 minutes
+    max: 10, // 10 verification attempts per 15 minutes
+    message: {
+      error: "Too many verification attempts. Please try again later.",
+      retryAfter: 900,
+    },
+    standardHeaders: true,
+    legacyHeaders: false,
+    skipSuccessfulRequests: true,
+    handler: createRateLimitHandler('twoFactorVerification'),
+  }),
+
+  twoFactorSetup: rateLimit({
+    windowMs: 60 * 60 * 1000, // 1 hour
+    max: 5, // 5 setup attempts per hour
+    message: {
+      error: "Too many setup attempts. Please try again later.",
+      retryAfter: 3600,
+    },
+    standardHeaders: true,
+    legacyHeaders: false,
+    handler: createRateLimitHandler('twoFactorSetup'),
+  }),
+
+  recoveryCode: rateLimit({
+    windowMs: 15 * 60 * 1000, // 15 minutes
+    max: 3, // 3 recovery code attempts per 15 minutes
+    message: {
+      error: "Too many recovery code attempts. Please try again later.",
+      retryAfter: 900,
+    },
+    standardHeaders: true,
+    legacyHeaders: false,
+    skipSuccessfulRequests: false, // Count all attempts for security
+    handler: createRateLimitHandler('recoveryCode'),
+  }),
+
+  emailOtpSend: rateLimit({
+    windowMs: 10 * 60 * 1000, // 10 minutes
+    max: 2, // 2 OTP sends per 10 minutes
+    message: {
+      error: "Please wait before requesting another code.",
+      retryAfter: 600,
+    },
+    standardHeaders: true,
+    legacyHeaders: false,
+    handler: createRateLimitHandler('emailOtpSend'),
+  }),
 };

 module.exports = {
@@ -223,6 +274,12 @@ module.exports = {
  emailVerificationLimiter: authRateLimiters.emailVerification,
  generalLimiter: authRateLimiters.general,

+  // Two-Factor Authentication rate limiters
+  twoFactorVerificationLimiter: authRateLimiters.twoFactorVerification,
+  twoFactorSetupLimiter: authRateLimiters.twoFactorSetup,
+  recoveryCodeLimiter: authRateLimiters.recoveryCode,
+  emailOtpSendLimiter: authRateLimiters.emailOtpSend,
+
  // Burst protection
  burstProtection,