Rate-limit token-authorized accept endpoints to 10 attempts/min/IP
Concrete throttle for guessable-token endpoints, implementing the general rule in decision #88.
Harden invite-accept: bind token to its org + rate-limit the endpoint
Security review flagged that invite accept trusted a caller-supplied org and had no throttle. Bind to the invite's own org and rate-limit by IP.
GitHub · PR #482 ↗Verified against the repro
2 of 3 candidates passed the security repro (replaying a token against a foreign org now 403s) and the suite. Selected Worker A (node-4790). This change touches auth + a migration — evidence is gathered, but blast radius is high; read it closely.
npm test -- routes/invites.crosstenant.repronpm test -- routes/invitesFinding H-3: invite accept accepted a caller-supplied ?org=, enabling cross-tenant join.
Concrete throttle for guessable-token endpoints, implementing the general rule in decision #88.
Reaffirms decision #10 at the invite-accept boundary after finding a cross-tenant path.