fix: Rate Limiting on Auth Endpoints

[lowkeyprisha]

🔍 Problem

While going through the codebase in detail as part of my GSSoC '26 contribution, I found that the rate limiting implementation in authRoutes.js had the following issues:

• /signup was using authRateLimiter (the login limiter) instead of registrationLimiter — meaning the stricter per-hour signup cap was never actually applied
• registrationLimiter had a windowMs of only 1 minute instead of 1 hour, making it nearly ineffective against signup spam
• Successful login attempts were being counted against the rate limit, punishing legitimate users
• authRateLimiter was an unnecessary alias for authLimiter — confirmed unused across the entire codebase via grep

---

✅ Changes Made

backend/src/middleware/rateLimiters.js

• Fixed registrationLimiter window from 60 * 1000 (1 min) → 60 * 60 * 1000 (1 hour)
• Added skipSuccessfulRequests: true to authLimiter so legitimate logins don't get penalized
• Removed the redundant authRateLimiter alias (confirmed zero usages in codebase)
• Improved error messages to be more user-friendly and specific

backend/src/routes/authRoutes.js

• /signup now correctly uses registrationLimiter
• /login now correctly uses authLimiter
• Updated import to use the correct named exports

---

🧪 Testing

Verified no other file in backend/src imports authRateLimiter using:

grep -r "authRateLimiter\|rateLimiters" backend/src --include="*.js"

Only authRoutes.js and registrationRoutes.js import from rateLimiters.js — both unaffected. Manually tested login and signup endpoints — rate limiting triggers correctly after threshold.

---

📎 Related Issue

Closes #209 — No Rate Limiting on Auth Endpoints — Vulnerable to Brute Force Attacks

[vercel]

@lowkeyprisha is attempting to deploy a commit to the anubhav12302387's projects Team on Vercel.

A member of the Team first needs to authorize it.

[github-actions]

👋 Thanks for opening a PR, @lowkeyprisha!

Your PR has entered the 🎯 EventOne GSSoC PR Review Pipeline.

🟢 GSSoC PR detected — your PR will be routed to an approved GSSoC mentor for Stage 2 review.

What happens next

Stage	Reviewer	Checks
Stage 1 — Automated Validation	🤖 Bot	Title format · Issue link · AI Slop · Branch check
Stage 2 — Mentor Review	🧑‍🏫 GSSoC Mentor	Code + Quality Review
Stage 3 — Admin Final Gate	🔑 @anubhavxdev	Label check + Final Merge Decision

A pipeline status comment will appear below and update automatically as your PR progresses.

---

While you wait

• Sign all commits using git commit -s
• Link your issue with Closes #123
• Use a feature branch — not main
• Avoid unrelated changes in the same PR
• Write your own description — no AI-generated content

This comment is posted only once.

EventOne × GSSoC Automated Pipeline

[github-actions]

✅ PR Format Check — Passed

Hi @lowkeyprisha! Your PR passed all automated checks and is now queued for mentor review. 🎉

✅ Checks Passed

• Conventional Commits title format ✓
• Issue linked ✓
• Description length sufficient ✓
• Valid feature branch ✓

---

📋 EventOne PR Guidelines (click to expand)

Title format — Conventional Commits:
feat: · fix: · docs: · style: · refactor: · test: · chore: · perf:

Always link an issue: Closes #number

Use a feature branch — never PR directly from main

Write your own description — AI-generated content = gssoc:ai-slop label

EventOne × GSSoC Pipeline — Stage 1 Automated Check

[lowkeyprisha]

• Backend Tests / Playwright — Jest cannot parse registrationController.js
  (line 178 syntax error). Fails identically on a clean main branch checkout.

• Frontend Lint & Build — Syntax error in
  src/components/mvpblocks/footer-standard.jsx line 261
  (CSS template literal issue). Exists before my changes.

• Vercel — Authorization required, repo owner needs to configure this.

This PR only modifies:
✅ backend/src/middleware/rateLimiters.js
✅ backend/src/routes/authRoutes.js

Both pass the Backend Install & Lint check successfully ✅

[Karanjot786]

Hey @lowkeyprisha! Saw your work on GSSoC 2026.

We are building TermUI, a TypeScript terminal UI framework with React-style hooks and JSX, rendered entirely in the terminal.

We have well-scoped bug-fix issues open with clear reproduction steps. Your JavaScript background transfers directly.

• Open issues (GSSoC 2026)
• TermUI on GSSoC

Karanjot, TermUI maintainer