v1.6.1: Sicherheit – Rate Limiting, Default-PW via Env, AUTH_SECRET Pflicht, Bcrypt 12

app/login/actions.ts

@@ -1,13 +1,27 @@
 'use server';
 
+import { headers } from 'next/headers';
 import { redirect } from 'next/navigation';
 import { verifyCredentials, getBeoDisplayName } from '@/lib/auth';
 import { createSession } from '@/lib/session';
+import { checkRateLimit } from '@/lib/ratelimit';
 
 export async function login(
   _prevState: { error: string } | undefined,
   formData: FormData
 ): Promise<{ error: string }> {
+  const headersList = await headers();
+  const ip =
+    headersList.get('x-forwarded-for')?.split(',')[0].trim() ??
+    headersList.get('x-real-ip') ??
+    'unknown';
+
+  const { allowed, remainingMs } = checkRateLimit(ip);
+  if (!allowed) {
+    const minutes = Math.ceil(remainingMs / 60000);
+    return { error: `Zu viele Anmeldeversuche. Bitte ${minutes} Minute${minutes !== 1 ? 'n' : ''} warten.` };
+  }
+
   const login = (formData.get('username') as string)?.trim();
   const password = formData.get('password') as string;