## 28) Login failure delay can enable app-layer DoS

2026-04-29 19:02:00 +02:00
parent 1e2576af2a
commit 9072117db3
6 changed files with 119 additions and 46 deletions
--- a/Docs/Tasks.md
+++ b/Docs/Tasks.md
@@ -1,41 +1,3 @@
-## 27) Error response body shape is inconsistent
- Where found:
-	- [backend/app/main.py](backend/app/main.py)
-	- [backend/app/routers](backend/app/routers)
-	- [frontend/src/api/client.ts](frontend/src/api/client.ts)
- Why this is needed:
-	- Frontend cannot reliably branch on machine-readable error codes.
- Goal:
-	- Standard error response schema with code + detail + metadata.
- What to do:
-	- Add shared error model and update handlers.
- Possible traps and issues:
-	- Legacy consumers parsing detail strings may break.
- Docs changes needed:
-	- Add backend error schema and mapping table.
- Doc references:
-	- [Docs/Backend-Development.md](Docs/Backend-Development.md)
-
---
-
-## 28) Login failure delay can enable app-layer DoS
- Where found:
-	- [backend/app/routers/auth.py](backend/app/routers/auth.py#L110)
- Why this is needed:
-	- Fixed 10-second await for invalid login attempts can amplify load impact.
- Goal:
-	- Keep brute-force resistance without exhausting request capacity.
- What to do:
-	- Replace fixed sleep with limiter-backed penalty strategy and concurrency protection.
- Possible traps and issues:
-	- Too little penalty weakens brute-force protection.
- Docs changes needed:
-	- Document authentication throttling strategy.
- Doc references:
-	- [backend/app/utils/rate_limiter.py](backend/app/utils/rate_limiter.py)
-
---
-
 ## 29) Blocklist URL validation has DNS-rebinding window
 - Where found:
 	- [backend/app/utils/ip_utils.py](backend/app/utils/ip_utils.py#L145)