Add rate limiting on login and password reset endpoints

Track attempts per IP in a rate_limits table with a sliding time
window. Login allows 5 failed attempts per 15 min, password reset
allows 3 requests per 15 min. Old entries are purged automatically.

2 files changed, 92 insertions, 0 deletions

diff --git a/src/app/Controllers/AuthController.php b/src/app/Controllers/AuthController.php
index aad40be..d1ac746 100644
--- a/src/app/Controllers/AuthController.php
+++ b/src/app/Controllers/AuthController.php
@@ -9,14 +9,24 @@ use App\Csrf;
 use App\Flash;
 use App\Mail;
 use App\Models\User;
+use App\RateLimiter;
 
 class AuthController
 {
+    // 5 failed logins per 15 minutes per IP
+    private const LOGIN_MAX_ATTEMPTS = 5;
+    private const LOGIN_WINDOW = 900;
+    // 3 password reset requests per 15 minutes per IP
+    private const RESET_MAX_ATTEMPTS = 3;
+    private const RESET_WINDOW = 900;
+
     private User $user;
+    private RateLimiter $limiter;
 
     public function __construct()
     {
         $this->user = new User();
+        $this->limiter = new RateLimiter();
     }
 
     public function registerForm(): void
@@ -107,6 +117,14 @@ class AuthController
             return;
         }
 
+        $ip = $_SERVER['REMOTE_ADDR'] ?? '';
+
+        if ($this->limiter->isLimited($ip, 'login', self::LOGIN_MAX_ATTEMPTS, self::LOGIN_WINDOW)) {
+            Flash::set('error', 'Too many login attempts. Please try again later.');
+            header('Location: /login');
+            return;
+        }
+
         $username = trim($_POST['username'] ?? '');
         $password = $_POST['password'] ?? '';
 
@@ -115,6 +133,8 @@ class AuthController
         // Use the same error message for wrong username or wrong password
         // to avoid revealing which usernames exist (user enumeration)
         if (!$user || !password_verify($password, $user['password_hash'])) {
+            // Only record failed attempts — successful logins don't count
+            $this->limiter->record($ip, 'login');
             Flash::set('error', 'Invalid username or password.');
             header('Location: /login');
             return;
@@ -154,6 +174,18 @@ class AuthController
             return;
         }
 
+        $ip = $_SERVER['REMOTE_ADDR'] ?? '';
+
+        if ($this->limiter->isLimited($ip, 'reset', self::RESET_MAX_ATTEMPTS, self::RESET_WINDOW)) {
+            Flash::set('error', 'Too many reset requests. Please try again later.');
+            header('Location: /forgot-password');
+            return;
+        }
+
+        // Record every attempt — even for non-existent emails, to prevent
+        // an attacker from probing email addresses at high speed
+        $this->limiter->record($ip, 'reset');
+
         $email = trim($_POST['email'] ?? '');
 
         // Always show the same message whether the email exists or not
diff --git a/src/app/RateLimiter.php b/src/app/RateLimiter.php
new file mode 100644
index 0000000..07b46ba
--- /dev/null
+++ b/src/app/RateLimiter.php
@@ -0,0 +1,60 @@
+<?php
+
+declare(strict_types=1);
+// Rate limiter: prevents brute-force attacks by tracking how many times an IP
+// performs a given action (e.g. login, password reset) within a sliding time window.
+
+namespace App;
+
+class RateLimiter
+{
+    private \PDO $pdo;
+
+    public function __construct()
+    {
+        $this->pdo = Database::getInstance()->getPdo();
+    }
+
+    /**
+     * Check whether the given IP has exceeded the allowed number of attempts
+     * for an action within the time window.
+     */
+    public function isLimited(string $ip, string $action, int $maxAttempts, int $windowSeconds): bool
+    {
+        // Clean up old entries first so the table doesn't grow forever
+        $this->purge($action, $windowSeconds);
+
+        $stmt = $this->pdo->prepare(
+            'SELECT COUNT(*) FROM rate_limits
+             WHERE ip = :ip AND action = :action
+             AND attempted_at > DATE_SUB(NOW(), INTERVAL :window SECOND)'
+        );
+        $stmt->execute(['ip' => $ip, 'action' => $action, 'window' => $windowSeconds]);
+
+        return (int) $stmt->fetchColumn() >= $maxAttempts;
+    }
+
+    /**
+     * Record an attempt for the given IP and action.
+     */
+    public function record(string $ip, string $action): void
+    {
+        $stmt = $this->pdo->prepare(
+            'INSERT INTO rate_limits (ip, action) VALUES (:ip, :action)'
+        );
+        $stmt->execute(['ip' => $ip, 'action' => $action]);
+    }
+
+    /**
+     * Remove entries older than the window so the table stays small.
+     */
+    private function purge(string $action, int $windowSeconds): void
+    {
+        $stmt = $this->pdo->prepare(
+            'DELETE FROM rate_limits
+             WHERE action = :action
+             AND attempted_at <= DATE_SUB(NOW(), INTERVAL :window SECOND)'
+        );
+        $stmt->execute(['action' => $action, 'window' => $windowSeconds]);
+    }
+}