Fix API Rate Limit Exhaustion in AdonisJS

API Rate Limit Exhaustion in AdonisJS is a critical vulnerability that allows attackers to perform Denial of Service (DoS) or automated brute-force attacks against sensitive endpoints. Without throttling, an adversary can saturate the event loop or exhaust database connection pools. To secure the stack, we must implement the official @adonisjs/limiter package to enforce request quotas at the middleware layer.

The Vulnerable Pattern

// start/routes.ts
import router from '@adonisjs/core/services/router'
const AuthController = () => import('#controllers/auth_controller')
// VULNERABLE: No rate limiting applied.
// An attacker can send 10,000 requests/sec to brute-force credentials.
router.post(‘/api/login’, [AuthController, ‘login’])

The Secure Implementation

The fix utilizes the @adonisjs/limiter package to implement a 'Fixed Window' or 'Leaky Bucket' strategy. By defining a policy that allows only 5 requests per minute keyed by the user's IP address, we prevent automated scripts from overwhelming the login logic. The middleware intercepts the request early in the lifecycle; if the limit is exceeded, it immediately returns a 429 Too Many Requests response, protecting downstream resources like the database and hashing functions (Bcrypt/Argon2) from CPU exhaustion.

// 1. Define the limiter in start/limiter.ts
import { limiter } from '@adonisjs/limiter/services/main'
export const loginThrottle = limiter
.allowRequests(5)
.every(‘1 minute’)
.usingKey((ctx) => ctx.request.ip())
// 2. Apply to routes in start/routes.ts
import router from ‘@adonisjs/core/services/router’
import { middleware } from ‘#start/kernel’
const AuthController = () => import(‘#controllers/auth_controller’)
router.post(‘/api/login’, [AuthController, ‘login’])
.use(middleware.throttle(‘loginThrottle’))