From 94dbb795cc3fe9799d34beb5d6bfa052eba81b0c Mon Sep 17 00:00:00 2001
From: Thomas Vanbesien <tvanbesi@proton.me>
Date: Sun, 22 Mar 2026 13:57:45 +0100
Subject: Add rate limiting on login and password reset endpoints

Track attempts per IP in a rate_limits table with a sliding time
window. Login allows 5 failed attempts per 15 min, password reset
allows 3 requests per 15 min. Old entries are purged automatically.
---
 docker/mariadb/init.sql | 10 ++++++++++
 1 file changed, 10 insertions(+)

(limited to 'docker/mariadb')

diff --git a/docker/mariadb/init.sql b/docker/mariadb/init.sql
index 2cc0d6f..29f0733 100644
--- a/docker/mariadb/init.sql
+++ b/docker/mariadb/init.sql
@@ -28,6 +28,16 @@ CREATE TABLE IF NOT EXISTS likes (
     FOREIGN KEY (post_id) REFERENCES posts(id) ON DELETE CASCADE
 );
 
+-- Tracks actions per IP for rate limiting (e.g. failed logins, password resets).
+-- Old rows are cleaned up on each check so the table doesn't grow unbounded.
+CREATE TABLE IF NOT EXISTS rate_limits (
+    id INT AUTO_INCREMENT PRIMARY KEY,
+    ip VARCHAR(45) NOT NULL,
+    action VARCHAR(30) NOT NULL,
+    attempted_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
+    INDEX idx_rate_limits_lookup (ip, action, attempted_at)
+);
+
 CREATE TABLE IF NOT EXISTS comments (
     id INT AUTO_INCREMENT PRIMARY KEY,
     user_id INT NOT NULL,
-- 
cgit v1.2.3