From d1f5d87f3df63e86c4f0596990caf54bb319e924 Mon Sep 17 00:00:00 2001
From: Nancy <9d.24.nancy.sangani@gmail.com>
Date: Thu, 12 Mar 2026 18:55:03 +0530
Subject: [PATCH] fix: enforce rate limit for sign-ups and sign-ins

---
 internal/api/options.go        | 6 ++++--
 internal/api/token.go          | 5 ++++-
 internal/conf/configuration.go | 1 +
 3 files changed, 9 insertions(+), 3 deletions(-)

diff --git a/internal/api/options.go b/internal/api/options.go
index d47aba276..6ef6cd192 100644
--- a/internal/api/options.go
+++ b/internal/api/options.go
@@ -36,6 +36,7 @@ type LimiterOptions struct {
 	Phone ratelimit.Limiter
 
 	Signups             *limiter.Limiter
+	SignIns             *limiter.Limiter
 	AnonymousSignIns    *limiter.Limiter
 	Recover             *limiter.Limiter
 	Resend              *limiter.Limiter
@@ -106,8 +107,9 @@ func NewLimiterOptions(gc *conf.GlobalConfiguration) *LimiterOptions {
 	o.MagicLink = newLimiterPer5mOver1h(gc.RateLimitOtp)
 	o.Otp = newLimiterPer5mOver1h(gc.RateLimitOtp)
 	o.User = newLimiterPer5mOver1h(gc.RateLimitOtp)
-	o.Signups = newLimiterPer5mOver1h(gc.RateLimitOtp)
-	o.OAuthClientRegister = newLimiterPer5mOver1h(gc.RateLimitOAuthDynamicClientRegister)
+	o.Signups = newLimiterPer5mOver1h(gc.RateLimitSignInSignUps)
+  o.SignIns = newLimiterPer5mOver1h(gc.RateLimitSignInSignUps)
+  o.OAuthClientRegister = newLimiterPer5mOver1h(gc.RateLimitOAuthDynamicClientRegister)
 
 	return o
 }
diff --git a/internal/api/token.go b/internal/api/token.go
index 3a1acea09..de844f8dd 100644
--- a/internal/api/token.go
+++ b/internal/api/token.go
@@ -42,17 +42,20 @@ func (a *API) Token(w http.ResponseWriter, r *http.Request) error {
 	grantType := r.FormValue("grant_type")
 
 	handler := a.ResourceOwnerPasswordGrant
-	limiter := a.limiterOpts.Token
+	limiter := a.limiterOpts.SignIns
 
 	switch grantType {
 	case "password":
 		// set above
 	case "refresh_token":
 		handler = a.RefreshTokenGrant
+		limiter = a.limiterOpts.Token
 	case "id_token":
 		handler = a.IdTokenGrant
+		limiter = a.limiterOpts.Token
 	case "pkce":
 		handler = a.PKCE
+		limiter = a.limiterOpts.Token
 	case "web3":
 		handler = a.Web3Grant
 		limiter = a.limiterOpts.Web3
diff --git a/internal/conf/configuration.go b/internal/conf/configuration.go
index bbd143db2..d3704d574 100644
--- a/internal/conf/configuration.go
+++ b/internal/conf/configuration.go
@@ -386,6 +386,7 @@ type GlobalConfiguration struct {
 	RateLimitSso                        float64 `split_words:"true" default:"30"`
 	RateLimitAnonymousUsers             float64 `split_words:"true" default:"30"`
 	RateLimitOtp                        float64 `split_words:"true" default:"30"`
+	RateLimitSignInSignUps              float64 `split_words:"true" default:"30"`
 	RateLimitWeb3                       float64 `split_words:"true" default:"30"`
 	RateLimitOAuthDynamicClientRegister float64 `split_words:"true" default:"10"`