From 61a298a7351519c1354bf24ddf4ba3b9677f3b45 Mon Sep 17 00:00:00 2001
From: Steve Dogiakos <dogiakos@gmail.com>
Date: Sat, 28 Mar 2026 23:16:08 -0600
Subject: [PATCH] fix: rate-limit admin login and API endpoint

Limits POST to /admin/login to 10 requests/minute to block brute-force
attacks. Limits GET /api/guests to 100 requests/hour to prevent bulk
data exfiltration.
---
 app.py | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/app.py b/app.py
index 90c2608..305c786 100644
--- a/app.py
+++ b/app.py
@@ -295,6 +295,7 @@ def _admin_configured():
     return bool(os.environ.get('ADMIN_USER') and os.environ.get('ADMIN_PASSWORD'))
 
 @app.route('/admin/login', methods=['GET', 'POST'])
+@limiter.limit("10 per minute", methods=["POST"])
 def admin_login():
     if not _admin_configured():
         abort(503)
@@ -450,6 +451,7 @@ def admin_users_delete(user_id):
 # ---------------------------------------------------------------------------
 
 @app.route('/api/guests', methods=['GET'])
+@limiter.limit("100 per hour")
 def api_guests():
     api_key = request.headers.get('X-API-Key')
     if api_key != os.environ.get("API_KEY"):