From 8572c0fb80fbe197104b2241a225b3c315119cb2 Mon Sep 17 00:00:00 2001
From: Ahmed Haitham <didodada94@gmail.com>
Date: Sun, 1 Jun 2025 05:56:48 +0300
Subject: [PATCH] Potential fix for code scanning alert no. 38: Missing rate
 limiting

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
---
 package.json            |  3 ++-
 routes/GenericRoutes.js | 12 +++++++++++-
 2 files changed, 13 insertions(+), 2 deletions(-)

diff --git a/package.json b/package.json
index 49901b22..35658381 100644
--- a/package.json
+++ b/package.json
@@ -35,7 +35,8 @@
     "pdfkit": "^0.14.0",
     "socket.io": "^4.7.2",
     "stripe": "^14.4.0",
-    "uuid": "^11.1.0"
+    "uuid": "^11.1.0",
+    "express-rate-limit": "^7.5.0"
   },
   "devDependencies": {
     "@types/debug": "^4.1.9",
diff --git a/routes/GenericRoutes.js b/routes/GenericRoutes.js
index 10614473..cc92e9d6 100644
--- a/routes/GenericRoutes.js
+++ b/routes/GenericRoutes.js
@@ -1,5 +1,6 @@
 const express = require("express");
 const router = express.Router();
+const rateLimit = require("express-rate-limit");
 
 // ==========================
 // Controllers
@@ -10,10 +11,19 @@ const {
   createPaymentIntent,
 } = require("../functions/CreatePaymentIntent.js");
 
+// ==========================
+// Rate Limiting
+// ==========================
+const loginRateLimiter = rateLimit({
+  windowMs: 15 * 60 * 1000, // 15 minutes
+  max: 100, // limit each IP to 100 requests per windowMs
+  message: "Too many login attempts from this IP, please try again later.",
+});
+
 // ==========================
 // Routes
 // ==========================
-router.post("/login", LoginController.login);
+router.post("/login", loginRateLimiter, LoginController.login);
 router.post("/logout", LoginController.logout);
 router.post("/resetPassword", resetPassword);
 router.post("/payment/payment-intent", createPaymentIntent);