Skip to content

Add Rate Limiting for Magic Link Requests

Implement Redis-based rate limiting on magic link request endpoint. Limit to 5 requests per email per hour. Return 429 with generic error message when exceeded. Log when user is blocked by rate limit including email address, IP, and user agent if available.

Note:

  • Redis key: magic-link:ratelimit:{email} with 1-hour TTL
  • Apply to /auth/magic-link/request only (not verification)
  • Config: MAGIC_LINK_RATE_LIMIT_MAX (default: 5), MAGIC_LINK_RATE_LIMIT_WINDOW_SECONDS (default: 3600)
  • No exemptions, persists across service restarts
  • Error: "Too many login attempts. Please try again later."
  • If Redis unavailable: fail with error and log