I am doing a Fullstack Web Project at the moment and am now looking into API security. I have implemented a user login which then allows the client to access most routes of my API. But there are unprotected routes as well which can and must be accessed without a login (e.g. sign up, login, ...).
One route for example returns whether a specific username or e-mail-adress is already taken by another user and is used during the sign up process. For someone with bad intentions this public route would be a great help to figure out which e-mail-addresses or usernames to try to hack or guess the password for because they can avoid credentials that aren‘t in use.
I know that this functionality is used very often by big companies to show the user whether he can use his desired username or not. How are they making sure there‘s no abuse? How can I protect my API and users from that?
I would appreciate any kind of help. Thanks a lot!
To limit API abuse rate limiting is a good practice. One way is to specify a maximum amount of API requests per IP address and after that ignore the requests.
A good article describing solutions to do so and also showing examples for an implementation in NodeJS can be found here.
Thanks to Gilbert Le Blanc for the help on this one.