From 9b2da944b101d39f2b9a1fcb394bfe05c41b09d9 Mon Sep 17 00:00:00 2001
From: BOHA <boha@boha.cz>
Date: Mon, 23 Mar 2026 08:47:03 +0100
Subject: [PATCH] security: add stricter rate limit on login endpoint (20/min)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 src/routes/admin/auth.ts | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/src/routes/admin/auth.ts b/src/routes/admin/auth.ts
index 93b5ea7..8daac5d 100644
--- a/src/routes/admin/auth.ts
+++ b/src/routes/admin/auth.ts
@@ -24,7 +24,14 @@ function setRefreshCookie(reply: import('fastify').FastifyReply, token: string,
 
 export default async function authRoutes(fastify: FastifyInstance): Promise<void> {
   // POST /api/admin/login
-  fastify.post<{ Body: LoginRequest }>('/login', async (request, reply) => {
+  fastify.post<{ Body: LoginRequest }>('/login', {
+    config: {
+      rateLimit: {
+        max: 20,
+        timeWindow: '1 minute',
+      },
+    },
+  }, async (request, reply) => {
     const { username, password, remember_me } = request.body;
 
     if (!username || !password) {