Fix SQL injection + add rate limiting to login

Parameterized the raw SQL query in src/api/users.ts, added express-rate-limit to POST /auth/login (10 req/min), and removed the unused prevStep state variable from onboarding/flow.tsx.

7/7 steps passed100% pass rateDuration: 42s3 files changed

PR #253

yeet-social/app

pr253.preview.genie.tech

Live preview

+47 -12

3 files changed

Artifacts

Click any artifact to preview.

Verification steps

Step 1PASSnavigate

Open login page

Expected: Login form renders

Actual: Login form rendered with email + password fields

Step 2PASStype

Enter email: dev@acme.co

Expected: Email field populated

Actual: Email field shows dev@acme.co

Step 3PASStype

Enter password

Expected: Password field populated

Actual: Password field masked

Step 4PASSclick

Click "Sign in" button

Expected: Login succeeds or rate limit triggers

Actual: Login succeeded, redirected to /dashboard

Step 5PASSrepeat

Rapid-fire 10 login attempts in 60s

Expected: Rate limiter returns 429 after 10th request

Actual: 429 Too Many Requests returned on 11th attempt

Step 6PASSverify

Check SQL query parameterization in /api/users

Expected: No string interpolation in SQL queries

Actual: All queries use $1, $2 parameterized placeholders

Step 7PASSverify

Check unused variable removal

Expected: prevStep variable removed from onboarding/flow.tsx

Actual: Variable removed, no references remain

Get your first proof packet

Free. No credit card required.