[Bug] dashboard-api: send-otp, verify-otp, forgot-password, and reset-password endpoints use dashboardLimiter (1000/15min) instead of authLimiter (10/15min)

[anshul23102]

Bug Summary

apps/dashboard-api/src/routes/auth.js applies the strict authLimiter (10 requests per 15 minutes) only to POST /login and POST /register. The OTP and password-reset endpoints that follow use router.use(dashboardLimiter), which allows 1000 requests per 15 minutes:

router.post('/register', authLimiter, register);
router.post('/login', authLimiter, login);
router.get('/github/start', startGithubAuth);
router.get('/github/callback', handleGithubCallback);

router.use(dashboardLimiter);   // 1000/15min from here onwards

router.post('/send-otp', sendOtp);          // should use authLimiter
router.post('/verify-otp', verifyOtp);      // should use authLimiter
router.post('/forgot-password', forgotPassword);  // should use authLimiter
router.post('/reset-password', resetPassword);    // should use authLimiter

An attacker can:

1. Enumerate valid OTP values (typically 6 digits = 1,000,000 combinations) by brute-forcing POST /verify-otp at 1000 attempts per 15 minutes -- far exceeding what authLimiter would allow.
2. Flood POST /send-otp to spam a target's email inbox with OTP messages at high volume.
3. Iterate POST /forgot-password against a list of email addresses to enumerate registered accounts.

Expected Behavior

send-otp, verify-otp, forgot-password, and reset-password should each be explicitly protected by authLimiter (10 requests per 15 minutes), matching the same strict limit applied to login and register.

Actual Behavior

These four endpoints inherit only the permissive dashboardLimiter (1000 requests per 15 minutes).

Affected File

apps/dashboard-api/src/routes/auth.js

---

@geturbackend I would like to work on this issue. Could you please assign/ it to me? Contributing under GSSoC '26.

[shravya290706]

Hi
I would like to work on this issue under SSOC'26.
Kindly assign this issue to me.
Thank you!

[anshul23102]

Hi @yash-pouranik, I am the author of this issue and would like to work on it under GSSoC '26.

I have traced the root cause and have a targeted fix ready for the incorrect rate limiter assignments on auth endpoints (dashboardLimiter instead of authLimiter).

I will request formal assignment once my work on issue #245 is complete, in line with the one-issue-at-a-time rule. Flagging my interest here so the issue stays on your radar.

GSSoC '26

[yash-pouranik]

As u are already assigned @anshul23102
THis I am giving to @shravya290706 , proceed

[anshul23102]

I've opened a PR to address this: #257. Ready for review.