docs(auth): add password security hardening plan and code markers

2026-02-20 20:07:26 -05:00
parent ea864b27d4
commit 0baf237548
4 changed files with 113 additions and 5 deletions
--- a/index.js
+++ b/index.js
@@ -37,6 +37,10 @@ const limiter = rateLimit({
 app.set('trust proxy', true);
 app.use(limiter);

+// SECURITY PLAN (point #3):
+// Add dedicated auth limiter(s) for /login and password reset endpoints.
+// Use tighter thresholds than the global limiter and key by account+IP.
+
 // Authentication
 const { signup, login, logout, resetPassword } = require('./auth/authEmail.js');
 /**
@@ -71,6 +75,8 @@ const { signup, login, logout, resetPassword } = require('./auth/authEmail.js');
 *       400:
 *         description: Bad request.
 */
+// SECURITY PLAN (point #2):
+// Make signup/login POST-only once clients are aligned.
 app.route('/signup').get(signup).post(signup);
 /**
 * @swagger
@@ -153,6 +159,10 @@ app.get('/logout', logout);
 *         description: Bad request.
 */
 app.route('/resetPassword').post(resetPassword);
+// SECURITY PLAN (point #1):
+// Replace /resetPassword with request/confirm reset token endpoints:
+// POST /password/request-reset
+// POST /password/confirm-reset

 // Routes
 const profileRoute = require('./routes/profile.js');
@@ -486,4 +496,4 @@ DB.getDB.then((DB) => {
 });

 // Export the app for testing purposes
-module.exports = { app, mongoDB: DB };
+module.exports = { app, mongoDB: DB };