allow LOGIN_REQUEST_THROTTLER_LIMIT and LOGIN_REQUEST_THROTTLER_TTL variables

joshunrau · joshunrau · commit c7adf42bade2 · 2026-01-13T13:16:33.000-05:00
diff --git a/.env.template b/.env.template
@@ -56,8 +56,13 @@ GATEWAY_API_KEY=
 DEBUG=false
 # Whether 'verbose' level logs should be enabled
 VERBOSE=false
-# Enable rate limitting
+# Enable rate limiting
 THROTTLER_ENABLED=true
+# number of login requests from the same IP permitted in LOGIN_REQUEST_THROTTLER_TTL milliseconds (default: 50)
+LOGIN_REQUEST_THROTTLER_LIMIT=
+# the duration in milliseconds to enforce LOGIN_REQUEST_THROTTLER_LIMIT (default: 60,000)
+LOGIN_REQUEST_THROTTLER_TTL=
+
 # Disable iteration for password hashing (not recommended for production)
 # See https://pages.nist.gov/800-63-3/sp800-63b.html
 # DANGEROUSLY_DISABLE_PBKDF2_ITERATION=
diff --git a/apps/api/src/auth/auth.controller.ts b/apps/api/src/auth/auth.controller.ts
@@ -1,9 +1,11 @@
+import { $NumberLike } from '@douglasneuroinformatics/libjs';
 import { CurrentUser } from '@douglasneuroinformatics/libnest';
 import type { RequestUser } from '@douglasneuroinformatics/libnest';
 import { Body, Controller, Get, HttpCode, HttpStatus, Post } from '@nestjs/common';
 import { ApiOperation } from '@nestjs/swagger';
 import { Throttle } from '@nestjs/throttler';
 import { $LoginCredentials } from '@opendatacapture/schemas/auth';
+import z from 'zod/v4';
 
 import { RouteAccess } from '@/core/decorators/route-access.decorator.js';
 
@@ -25,7 +27,12 @@ export class AuthController {
   @HttpCode(HttpStatus.OK)
   @Post('login')
   @RouteAccess('public')
-  @Throttle({ long: { limit: 50, ttl: 60_000 } })
+  @Throttle({
+    long: {
+      limit: $NumberLike.pipe(z.number().int().positive()).default(50).parse(process.env.LOGIN_REQUEST_THROTTLER_LIMIT),
+      ttl: $NumberLike.pipe(z.number().int().positive()).default(60_000).parse(process.env.LOGIN_REQUEST_THROTTLER_TTL)
+    }
+  })
   async login(@Body() credentials: $LoginCredentials): Promise<{ accessToken: string }> {
     return this.authService.login(credentials);
   }
diff --git a/docker-compose.yaml b/docker-compose.yaml
@@ -43,6 +43,8 @@ services:
       - GATEWAY_SITE_ADDRESS
       - SECRET_KEY
       - THROTTLER_ENABLED
+      - LOGIN_REQUEST_THROTTLER_LIMIT
+      - LOGIN_REQUEST_THROTTLER_TTL
       - VERBOSE
     expose:
       - 80
