Mechanic's work place

app/api/users.py

@@ -25,6 +25,7 @@ from app.schemas.user import (
     UserUpsert,
     WebAppAuthRequest,
 )
+from app.services.rate_limit import check_rate_limit
 from app.services.telegram_auth import verify_login_widget, verify_webapp_init_data
 
 router = APIRouter(prefix="/users", tags=["users"])
@@ -56,8 +57,11 @@ async def auth_config() -> AuthConfig:
 
 @router.post("/webapp-auth", response_model=UserRead)
 async def webapp_auth(
-    payload: WebAppAuthRequest, session: AsyncSession = Depends(get_session)
+    payload: WebAppAuthRequest,
+    request: Request,
+    session: AsyncSession = Depends(get_session),
 ) -> User:
+    await check_rate_limit(scope="auth_webapp", limit=30, window_seconds=60, request=request, session=session)
     user_data = verify_webapp_init_data(payload.init_data, settings.bot_token)
     telegram_id = int(user_data["id"])
     return await get_or_create_telegram_user(
@@ -72,8 +76,11 @@ async def webapp_auth(
 
 @router.post("/telegram-login", response_model=UserRead)
 async def telegram_login(
-    payload: TelegramLoginRequest, session: AsyncSession = Depends(get_session)
+    payload: TelegramLoginRequest,
+    request: Request,
+    session: AsyncSession = Depends(get_session),
 ) -> User:
+    await check_rate_limit(scope="auth_login", limit=12, window_seconds=60, request=request, session=session)
     values = verify_login_widget(payload.model_dump(), settings.bot_token)
     telegram_id = int(values["id"])
     return await get_or_create_telegram_user(