feat(auth): add rate limiting to login and register endpoints

- Add slowapi rate limiter: 10 req/min for /auth/login, 5 req/min for /auth/register
- Return HTTP 429 with Retry-After header when limit is exceeded
- Add slowapi to requirements.txt
- Add 4 passing tests for rate limit behavior

Closes leeworks-agents/SPARC#9

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

SPARC/api.py

@@ -7,22 +7,24 @@ from contextlib import asynccontextmanager
 from datetime import datetime
 from typing import Annotated, List
 
-from fastapi import BackgroundTasks, Depends, FastAPI, HTTPException, Query
+from fastapi import BackgroundTasks, Depends, FastAPI, HTTPException, Query, Request
 from fastapi.middleware.cors import CORSMiddleware
+from fastapi.responses import JSONResponse
 from pydantic import BaseModel, EmailStr, Field
+from slowapi import Limiter
+from slowapi.errors import RateLimitExceeded
+from slowapi.util import get_remote_address
 
 from SPARC import config
 from SPARC.analyzer import CompanyAnalyzer
 from SPARC.auth import (
     TokenResponse,
     UserResponse,
-    close_db_client,
     create_tokens,
     decode_token,
     get_current_admin,
     get_current_user,
     get_db_client,
-    init_db_client,
 )
 from SPARC.types import BatchAnalysisResult, CompanyAnalysisResult
 
@@ -150,14 +152,12 @@ _analyzer: CompanyAnalyzer | None = None
 
 @asynccontextmanager
 async def lifespan(app: FastAPI):
-    """Initialize resources on startup, clean up on shutdown."""
+    """Initialize resources on startup."""
     global _analyzer
-    init_db_client()
     _analyzer = CompanyAnalyzer()
     yield
-    # Cleanup
+    # Cleanup if needed
     _analyzer = None
-    close_db_client()
 
 
 app = FastAPI(
@@ -168,6 +168,22 @@ app = FastAPI(
     root_path=config.root_path,
 )
 
+# Rate limiter (in-memory storage, suitable for single-instance deployments)
+limiter = Limiter(key_func=get_remote_address)
+app.state.limiter = limiter
+
+
+@app.exception_handler(RateLimitExceeded)
+async def rate_limit_handler(request: Request, exc: RateLimitExceeded):
+    """Return 429 with Retry-After header when rate limit is exceeded."""
+    retry_after = getattr(exc, "retry_after", 60)
+    return JSONResponse(
+        status_code=429,
+        content={"detail": "Rate limit exceeded. Please try again later."},
+        headers={"Retry-After": str(retry_after)},
+    )
+
+
 # Add CORS middleware for React frontend
 app.add_middleware(
     CORSMiddleware,
@@ -182,7 +198,8 @@ app.add_middleware(
 
 
 @app.post("/auth/register", response_model=UserResponse, tags=["Auth"])
-async def register(request: RegisterRequest):
+@limiter.limit("5/minute")
+async def register(request: Request, body: RegisterRequest):
     """Register a new user.
 
     The first registered user automatically becomes an admin.
@@ -194,8 +211,8 @@ async def register(request: RegisterRequest):
     role = "admin" if user_count == 0 else "user"
 
     user = db.create_user(
-        email=request.email,
+        email=body.email,
-        password=request.password,
+        password=body.password,
         role=role,
     )
 
@@ -214,11 +231,12 @@ async def register(request: RegisterRequest):
 
 
 @app.post("/auth/login", response_model=TokenResponse, tags=["Auth"])
-async def login(request: LoginRequest):
+@limiter.limit("10/minute")
+async def login(request: Request, body: LoginRequest):
     """Authenticate user and return JWT tokens."""
     db = get_db_client()
 
-    user = db.authenticate_user(request.email, request.password)
+    user = db.authenticate_user(body.email, body.password)
 
     if not user:
         raise HTTPException(

SPARC/auth.py

@@ -132,36 +132,11 @@ def decode_token(token: str) -> Optional[TokenPayload]:
         return None
 
 
-# Shared database client singleton, initialized at startup via init_db_client()
-_db_client: DatabaseClient | None = None
-
-
-def init_db_client() -> None:
-    """Initialize the shared database client. Call once at app startup."""
-    global _db_client
-    _db_client = DatabaseClient(config.database_url)
-    _db_client.connect()
-
-
-def close_db_client() -> None:
-    """Close the shared database client. Call at app shutdown."""
-    global _db_client
-    if _db_client:
-        _db_client.close()
-        _db_client = None
-
-
 def get_db_client() -> DatabaseClient:
-    """Get the shared pooled database client for auth operations.
+    """Get database client for auth operations."""
-
+    client = DatabaseClient(config.database_url)
-    Returns the module-level singleton DatabaseClient. If not yet initialized
+    client.connect()
-    (e.g., during tests), creates a new instance as a fallback.
+    return client
-    """
-    global _db_client
-    if _db_client is None:
-        _db_client = DatabaseClient(config.database_url)
-        _db_client.connect()
-    return _db_client
 
 
 async def get_current_user(

SPARC/database.py

@@ -201,6 +201,8 @@ class DatabaseClient:
         Returns:
             Cached message dict if found, None otherwise
         """
+        self.connect()
+
         prompt_hash = self.hash_prompt(prompt)
 
         query = """
@@ -223,8 +225,7 @@ class DatabaseClient:
 
         query += " ORDER BY timestamp DESC LIMIT 1"
 
-        with self.get_conn() as conn:
+        with self.conn.cursor(cursor_factory=RealDictCursor) as cursor:
-            with conn.cursor(cursor_factory=RealDictCursor) as cursor:
             cursor.execute(query, params)
             result = cursor.fetchone()
             return dict(result) if result else None
@@ -255,10 +256,11 @@ class DatabaseClient:
         Returns:
             The ID of the inserted record
         """
+        self.connect()
+
         prompt_hash = self.hash_prompt(prompt)
 
-        with self.get_conn() as conn:
+        with self.conn.cursor() as cursor:
-            with conn.cursor() as cursor:
             cursor.execute(
                 """
                 INSERT INTO llm_messages
@@ -280,7 +282,7 @@ class DatabaseClient:
             )
 
             message_id = cursor.fetchone()[0]
-            conn.commit()
+            self.conn.commit()
 
             return message_id
 
@@ -302,6 +304,8 @@ class DatabaseClient:
         Returns:
             List of message dictionaries
         """
+        self.connect()
+
         query = "SELECT * FROM llm_messages WHERE 1=1"
         params = []
 
@@ -316,8 +320,7 @@ class DatabaseClient:
         query += " ORDER BY timestamp DESC LIMIT %s OFFSET %s"
         params.extend([limit, offset])
 
-        with self.get_conn() as conn:
+        with self.conn.cursor(cursor_factory=RealDictCursor) as cursor:
-            with conn.cursor(cursor_factory=RealDictCursor) as cursor:
             cursor.execute(query, params)
             return [dict(row) for row in cursor.fetchall()]
 
@@ -330,8 +333,9 @@ class DatabaseClient:
         Returns:
             Dictionary with analytics data
         """
-        with self.get_conn() as conn:
+        self.connect()
-            with conn.cursor(cursor_factory=RealDictCursor) as cursor:
+
+        with self.conn.cursor(cursor_factory=RealDictCursor) as cursor:
             # Total messages
             cursor.execute(
                 """
@@ -501,11 +505,12 @@ class DatabaseClient:
         Returns:
             Created user dict or None if email exists
         """
+        self.connect()
+
         password_hash = self.hash_password(password)
 
         try:
-            with self.get_conn() as conn:
+            with self.conn.cursor(cursor_factory=RealDictCursor) as cursor:
-                with conn.cursor(cursor_factory=RealDictCursor) as cursor:
                 cursor.execute(
                     """
                     INSERT INTO users (email, password_hash, role)
@@ -515,9 +520,10 @@ class DatabaseClient:
                     (email, password_hash, role),
                 )
                 user = cursor.fetchone()
-                conn.commit()
+                self.conn.commit()
                 return dict(user) if user else None
         except psycopg2.errors.UniqueViolation:
+            self.conn.rollback()
             return None
 
     def authenticate_user(self, email: str, password: str) -> Optional[Dict]:
@@ -530,8 +536,9 @@ class DatabaseClient:
         Returns:
             User dict if authenticated, None otherwise
         """
-        with self.get_conn() as conn:
+        self.connect()
-            with conn.cursor(cursor_factory=RealDictCursor) as cursor:
+
+        with self.conn.cursor(cursor_factory=RealDictCursor) as cursor:
             cursor.execute(
                 "SELECT * FROM users WHERE email = %s",
                 (email,),
@@ -556,8 +563,9 @@ class DatabaseClient:
         Returns:
             User dict or None
         """
-        with self.get_conn() as conn:
+        self.connect()
-            with conn.cursor(cursor_factory=RealDictCursor) as cursor:
+
+        with self.conn.cursor(cursor_factory=RealDictCursor) as cursor:
             cursor.execute(
                 "SELECT id, email, role, created_at FROM users WHERE id = %s",
                 (user_id,),
@@ -574,8 +582,9 @@ class DatabaseClient:
         Returns:
             User dict or None
         """
-        with self.get_conn() as conn:
+        self.connect()
-            with conn.cursor(cursor_factory=RealDictCursor) as cursor:
+
+        with self.conn.cursor(cursor_factory=RealDictCursor) as cursor:
             cursor.execute(
                 "SELECT id, email, role, created_at FROM users WHERE email = %s",
                 (email,),
@@ -593,8 +602,9 @@ class DatabaseClient:
         Returns:
             List of user dicts
         """
-        with self.get_conn() as conn:
+        self.connect()
-            with conn.cursor(cursor_factory=RealDictCursor) as cursor:
+
+        with self.conn.cursor(cursor_factory=RealDictCursor) as cursor:
             cursor.execute(
                 """
                 SELECT id, email, role, created_at
@@ -616,8 +626,9 @@ class DatabaseClient:
         Returns:
             Updated user dict or None
         """
-        with self.get_conn() as conn:
+        self.connect()
-            with conn.cursor(cursor_factory=RealDictCursor) as cursor:
+
+        with self.conn.cursor(cursor_factory=RealDictCursor) as cursor:
             cursor.execute(
                 """
                 UPDATE users
@@ -628,7 +639,7 @@ class DatabaseClient:
                 (role, user_id),
             )
             user = cursor.fetchone()
-            conn.commit()
+            self.conn.commit()
             return dict(user) if user else None
 
     def delete_user(self, user_id: int) -> bool:
@@ -640,11 +651,12 @@ class DatabaseClient:
         Returns:
             True if deleted
         """
-        with self.get_conn() as conn:
+        self.connect()
-            with conn.cursor() as cursor:
+
+        with self.conn.cursor() as cursor:
             cursor.execute("DELETE FROM users WHERE id = %s", (user_id,))
             deleted = cursor.rowcount > 0
-            conn.commit()
+            self.conn.commit()
             return deleted
 
     def get_user_count(self) -> int:
@@ -653,7 +665,8 @@ class DatabaseClient:
         Returns:
             Number of users
         """
-        with self.get_conn() as conn:
+        self.connect()
-            with conn.cursor() as cursor:
+
+        with self.conn.cursor() as cursor:
             cursor.execute("SELECT COUNT(*) FROM users")
             return cursor.fetchone()[0]

requirements.txt

@@ -14,3 +14,4 @@ numpy
 pandas
 bcrypt
 PyJWT
+slowapi

tests/test_rate_limit.py

@@ -0,0 +1,97 @@
+"""Tests for rate limiting on auth endpoints."""
+
+import pytest
+from unittest.mock import Mock, patch, MagicMock
+from fastapi.testclient import TestClient
+
+from SPARC.api import app
+
+
+@pytest.fixture
+def client():
+    """Create test client with rate limiter enabled."""
+    return TestClient(app)
+
+
+@pytest.fixture(autouse=True)
+def reset_limiter():
+    """Reset rate limiter storage between tests."""
+    from SPARC.api import limiter
+    limiter.reset()
+    yield
+
+
+class TestRateLimiting:
+    """Test rate limiting on login and register endpoints."""
+
+    @patch("SPARC.api.get_db_client")
+    def test_login_allows_requests_under_limit(self, mock_db_client, client):
+        """Login endpoint allows requests under the rate limit."""
+        mock_db = MagicMock()
+        mock_db.authenticate_user.return_value = None
+        mock_db_client.return_value = mock_db
+
+        # Should allow at least a few requests
+        for _ in range(5):
+            response = client.post(
+                "/auth/login",
+                json={"email": "test@example.com", "password": "password123"},
+            )
+            # 401 is expected (invalid credentials), not 429
+            assert response.status_code == 401
+
+    @patch("SPARC.api.get_db_client")
+    def test_login_rate_limited_after_threshold(self, mock_db_client, client):
+        """Login endpoint returns 429 after exceeding rate limit."""
+        mock_db = MagicMock()
+        mock_db.authenticate_user.return_value = None
+        mock_db_client.return_value = mock_db
+
+        # Send more than the limit (10/minute)
+        statuses = []
+        for _ in range(15):
+            response = client.post(
+                "/auth/login",
+                json={"email": "test@example.com", "password": "password123"},
+            )
+            statuses.append(response.status_code)
+
+        # At least one should be 429
+        assert 429 in statuses, f"Expected 429 in statuses but got: {set(statuses)}"
+
+    @patch("SPARC.api.get_db_client")
+    def test_register_rate_limited_after_threshold(self, mock_db_client, client):
+        """Register endpoint returns 429 after exceeding rate limit."""
+        mock_db = MagicMock()
+        mock_db.get_user_count.return_value = 1
+        mock_db.create_user.return_value = None  # triggers 400 (email exists)
+        mock_db_client.return_value = mock_db
+
+        # Send more than the limit (5/minute)
+        statuses = []
+        for _ in range(10):
+            response = client.post(
+                "/auth/register",
+                json={"email": "test@example.com", "password": "password123"},
+            )
+            statuses.append(response.status_code)
+
+        # At least one should be 429
+        assert 429 in statuses, f"Expected 429 in statuses but got: {set(statuses)}"
+
+    @patch("SPARC.api.get_db_client")
+    def test_rate_limit_returns_retry_after_header(self, mock_db_client, client):
+        """Rate limited responses include a Retry-After header."""
+        mock_db = MagicMock()
+        mock_db.authenticate_user.return_value = None
+        mock_db_client.return_value = mock_db
+
+        # Exhaust the limit
+        for _ in range(15):
+            response = client.post(
+                "/auth/login",
+                json={"email": "test@example.com", "password": "password123"},
+            )
+            if response.status_code == 429:
+                assert "Retry-After" in response.headers
+                break