Missing rate limiting enables credential brute force attacks

Authentication endpoints (login, password reset, OTP) lack rate limiting or throttling, allowing attackers to brute force credentials, enumerate users, or abuse password reset flows.

Implement rate limiting on sensitive endpoints using middleware, decorator-based limiters, or proxy-level throttling. Monitor failed login attempts. Set reasonable limits (e.g., 5 attempts per minute per IP). Log and alert on threshold violations.