LOW: Login rate limiter bypassed when no users exist (first-run timing window) #83
Labels
No Label
architecture
backend
bug
feature
frontend
priority:critical
priority:high
priority:low
priority:medium
priority:nice-to-have
ux
No Milestone
No project
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies
No dependencies set.
Reference: null/BillTracker#83
Loading…
Reference in New Issue
No description provided.
Delete Branch "%!s(<nil>)"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Bug Description
server.js:46-60 implements skipRateLimitIfNoUsers() which queries the DB on every login request when no session exists. This means:
Impact
Minimal in practice - the window is only during initial setup. But the timing leak could be used to fingerprint whether the app has been set up.
Recommended Fix
Consider a fixed-rate limit even for the no-users state (e.g., 20 requests/15min) that allows legitimate setup while preventing abuse.