From 32a4ffa70e993ca836d1ff88f47b75aad708d073 Mon Sep 17 00:00:00 2001
From: Runar Ingebrigtsen <runar@rin.no>
Date: Fri, 30 Jan 2026 10:08:57 +0100
Subject: [PATCH] rate limiting sesisons

---
 app/controllers/sessions_controller.rb | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)

diff --git a/app/controllers/sessions_controller.rb b/app/controllers/sessions_controller.rb
index 7418de0..b75005a 100644
--- a/app/controllers/sessions_controller.rb
+++ b/app/controllers/sessions_controller.rb
@@ -1,4 +1,6 @@
 class SessionsController < ApplicationController
+  include RateLimiter
+
   def new
     # Redirect to admin if already logged in
     if logged_in?
@@ -7,6 +9,9 @@ class SessionsController < ApplicationController
   end
 
   def create
+    # Skip authentication if rate limited
+    return if @rate_limited
+
     user = User.find_by(email: params[:email]&.downcase&.strip)
 
     if user&.authenticate(params[:password])
@@ -17,7 +22,23 @@ class SessionsController < ApplicationController
         return
       end
 
+      # Reset rate limit on successful login
+      reset_rate_limit
+
       session[:user_id] = user.id
+      session[:last_activity_at] = Time.current.to_s
+
+      # Handle remember me
+      if params[:remember_me] == "1"
+        token = user.remember_me
+        cookies.signed[:remember_token] = {
+          value: token,
+          expires: User::REMEMBER_TOKEN_EXPIRY.from_now,
+          httponly: true,
+          secure: Rails.env.production?
+        }
+      end
+
       redirect_to admin? ? admin_root_path : root_path, notice: "Welcome back, #{user.name}!"
     else
       flash.now[:alert] = "Invalid email or password."