Skip to content

feat: add rate limiting to POST /auth/device endpoint #82

New issue
New issue
Open
Open
feat: add rate limiting to POST /auth/device endpoint#82
Labels
securitySecurity-related issuestech-debtKnown shortcuts to address later
@rorybyrne

Description

@rorybyrne
rorybyrne
opened on Mar 13, 2026

Summary

The POST /auth/device endpoint currently has no rate limiting. Each call creates a new device_authorizations row. Without rate limiting, an attacker could flood the table with pending device authorizations.

The 15-minute expiry and periodic cleanup mitigate this somewhat, but rate limiting at the endpoint level would be a proper defense.

Suggested approach

  • Add per-IP rate limiting (e.g., 10 requests/minute) to POST /auth/device
  • Consider also rate limiting POST /auth/device/token (polling endpoint)
  • Could use a middleware-based approach or FastAPI dependency

Context

Identified during code review of #81 (OAuth Device Flow).

Metadata

Metadata

Assignees

No one assigned

    Labels

    securitySecurity-related issuestech-debtKnown shortcuts to address later

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions