7e430998b8
The filter only watched /api/auth/login 401 — leaving the forgot-password endpoint open to: - email enumeration (slow brute-force probing which addresses exist) - password-reset brute-force against accounts whose addresses leak Widens the failregex to /api/auth/(login|forgot-password) and adds 429 to the status alternation so a future in-app rate-limiter response is also caught by the jail (defense in depth). CI assertions extended to cover both new dimensions plus a negative case on an unrelated 401 endpoint (/api/documents) — pins that the widening did not over-match. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
9.0 KiB
9.0 KiB