Phase 6: Rate limiting on auth endpoints

src/app.ts

@@ -1,5 +1,6 @@
 import Fastify from 'fastify';
 import cors from '@fastify/cors';
+import rateLimit from '@fastify/rate-limit';
 import prismaPlugin from './plugins/prisma.js';
 import errorHandlerPlugin from './plugins/error-handler.js';
 import authPlugin from './plugins/auth.js';
@@ -22,6 +23,11 @@ export async function buildApp() {
 
   // Plugins
   await app.register(cors, { origin: config.corsOrigin });
+  await app.register(rateLimit, {
+    global: true,
+    max: 100,
+    timeWindow: '1 minute',
+  });
   await app.register(errorHandlerPlugin);
   await app.register(prismaPlugin);
   await app.register(authPlugin);

src/routes/auth/meta.ts

@@ -9,6 +9,9 @@ import type { MetaCallbackBody, AuthTokensResponse } from '../../types/api.js';
 
 const metaAuthRoutes: FastifyPluginAsync = async (fastify) => {
   fastify.post<{ Body: MetaCallbackBody }>('/auth/meta/callback', {
+    config: {
+      rateLimit: { max: 10, timeWindow: '1 minute' },
+    },
     schema: {
       body: {
         type: 'object',

src/routes/auth/session.ts

@@ -10,6 +10,9 @@ import type { RefreshBody, AuthTokensResponse, UserProfileResponse } from '../..
 const sessionRoutes: FastifyPluginAsync = async (fastify) => {
   // POST /auth/refresh — rotate refresh token, issue new JWT
   fastify.post<{ Body: RefreshBody }>('/auth/refresh', {
+    config: {
+      rateLimit: { max: 10, timeWindow: '1 minute' },
+    },
     schema: {
       body: {
         type: 'object',