feat: update authentication rate limiting to 15-minute windows

Updated all authentication rate limiters from 1-hour windows to more
reasonable 15-minute windows for better user experience while maintaining
security. Also fixed TypeScript error in PasswordRequirements component.

Changes:
- Auth rate limiter: 5 requests per 15 minutes (was 1 hour)
- Strict auth rate limiter: 3 requests per 15 minutes (unchanged window)
- Signup rate limiter: 5 attempts per 15 minutes (was 1 hour)
- Fixed useEffect return type in PasswordRequirements.tsx

Author: Patel230

packages/server/src/index.ts

@@ -556,8 +556,8 @@ async function startServer() {
 
   // Rate limiting configuration for authentication endpoints
   const authRateLimiter = rateLimit({
-    windowMs: 60 * 60 * 1000, // 1 hour
-    max: 5, // Max 5 requests per hour per IP
+    windowMs: 15 * 60 * 1000, // 15 minutes
+    max: 5, // Max 5 requests per 15 minutes per IP
     standardHeaders: true,
     legacyHeaders: false,
     skipSuccessfulRequests: false,

packages/server/src/resolvers/sqlite-auth.ts

@@ -30,7 +30,7 @@ const signupRateLimits = new Map<string, RateLimitEntry>();
 
 function checkSignupRateLimit(ip: string): { allowed: boolean; retryAfter?: number } {
   const now = Date.now();
-  const windowMs = 60 * 60 * 1000;
+  const windowMs = 15 * 60 * 1000;
   const maxAttempts = 5;
 
   const entry = signupRateLimits.get(ip);

packages/web/src/components/PasswordRequirements.tsx

@@ -51,6 +51,7 @@ export function PasswordRequirements({ password, showAll = false }: PasswordRequ
     } else if (password) {
       setShowBox(true);
     }
+    return undefined;
   }, [allRequiredMet, password]);
 
   if (!password) return null;