From de1b7e3377eb120bc519575c48ec4973bcb64d87 Mon Sep 17 00:00:00 2001
From: yushen <ldnvnbl@gmail.com>
Date: Thu, 26 Mar 2026 15:44:05 +0800
Subject: [PATCH] fix(auth): reduce verification code rate limit from 60s to
 10s

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 apps/web/app/(auth)/login/page.tsx | 4 ++--
 server/internal/handler/auth.go    | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/apps/web/app/(auth)/login/page.tsx b/apps/web/app/(auth)/login/page.tsx
index 4f8409d6..de94a4ee 100644
--- a/apps/web/app/(auth)/login/page.tsx
+++ b/apps/web/app/(auth)/login/page.tsx
@@ -54,7 +54,7 @@ function LoginPageContent() {
       await sendCode(email);
       setStep("code");
       setCode("");
-      setCooldown(60);
+      setCooldown(10);
     } catch (err) {
       setError(
         err instanceof Error ? err.message : "Failed to send code. Make sure the server is running."
@@ -118,7 +118,7 @@ function LoginPageContent() {
     setError("");
     try {
       await sendCode(email);
-      setCooldown(60);
+      setCooldown(10);
     } catch (err) {
       setError(
         err instanceof Error ? err.message : "Failed to resend code"
diff --git a/server/internal/handler/auth.go b/server/internal/handler/auth.go
index 4575fdea..d0e4fedb 100644
--- a/server/internal/handler/auth.go
+++ b/server/internal/handler/auth.go
@@ -213,9 +213,9 @@ func (h *Handler) SendCode(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	// Rate limit: max 1 code per 60 seconds per email
+	// Rate limit: max 1 code per 10 seconds per email
 	latest, err := h.Queries.GetLatestCodeByEmail(r.Context(), email)
-	if err == nil && time.Since(latest.CreatedAt.Time) < 60*time.Second {
+	if err == nil && time.Since(latest.CreatedAt.Time) < 10*time.Second {
 		writeError(w, http.StatusTooManyRequests, "please wait before requesting another code")
 		return
 	}