Problem
There is no HTTP-level rate limiting anywhere in the backend. No @nestjs/throttler module, no rate-limiting middleware. The only rate controls are per-feature email cooldowns in threshold.config.ts.
This means login, API, SQL executor, and share password endpoints can be hit at unlimited frequency.
Impact
- Brute-force password attacks on login
- Brute-force share link passwords
- API abuse / resource exhaustion
- SQL executor can be used for database-level DoS
Suggested Fix
- Add
@nestjs/throttler with tiered limits (strict for auth, moderate for API, tight for SQL)
- Or use a reverse proxy (nginx/Caddy) rate limiter in front of the app
- Consider IP-based + user-based sliding window
Found during source code review. v1.10.0
Problem
There is no HTTP-level rate limiting anywhere in the backend. No
@nestjs/throttlermodule, no rate-limiting middleware. The only rate controls are per-feature email cooldowns inthreshold.config.ts.This means login, API, SQL executor, and share password endpoints can be hit at unlimited frequency.
Impact
Suggested Fix
@nestjs/throttlerwith tiered limits (strict for auth, moderate for API, tight for SQL)Found during source code review. v1.10.0