Matt
27f8db4c67
Pre-audit: 20 rapid wrong-password attempts all returned 401 with no lockout. Brute-force open. Post-fix: better-auth's built-in rate limiter caps /sign-in/email at 5 attempts per 60s. Verified live — attempts 1-5 return 401, attempt 6+ returns 429 "Too many requests". Same tight cap applied to /sign-up/email, /forget-password, /reset-password. Default 120/min for everything else so legitimate multi-widget dashboards aren't hampered. Memory storage in this commit (resets on restart). Production multi-replica swap to `storage: 'database'` planned for a follow-up once the rateLimit migration is run. Also: in production, trust X-Forwarded-For / X-Real-IP so the IP that rate-limit + audit logging see is the real client, not the proxy. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>