example/auth-service
Add per-IP rate limiting to the login endpoint
Adds an in-memory token-bucket limiter and applies it to /auth/login. The goal is to slow down credential-stuffing attacks without affecting legitimate users. The limiter is intentionally simple — a single-process in-memory dict — because we only need short-term throttling and we already shed traffic at the load balancer for sustained abuse.
feature/login-rate-limit→main3 files5/5/2026