Hello,
I see in logs that SignUps have some protection, but only if you try to make 2 sign ups with same email very quickly it gives you error: over_email_send_rate_limit and you need to wait 60 seconds:
However, somebody can bomb you with different emails and there is no limitation.
With logins is even more dangerous. No matter how many time you will enter wrong credentials, it just gives you Error for Invalid login credentials, and you can try again and again and again… So somebody can make brute-force Attack.
I can do some protection on frontend but its not secure. And i believe that Supabase need to have some protection about this.
I am not speaking about using Captcha or something similare, but some rate limit on backend side.
Thank you in advance
Hi @Zoran.Velinov 
Thank you for sharing your findings.
From my understanding, Supabase does have some built‑in rate limiting (for example on email sending and auth requests), but it doesn’t currently enforce a strong per‑user “lockout after X wrong passwords” mechanism.
So your observation is mostly correct, and for now it’s best to add your own protections on top (e.g. additional rate limiting, CAPTCHA, or edge‑function checks) if you need stronger brute‑force mitigation.
Thank you for you answer.
I prefer to add my own protection on top with edge function, but how to do this using WeWeb Supabase Auth plugin?
To be able to do this, Supabase Auth Plugin action(login, or signup for example) first need to go through my edge function, and than after check is done to be executed or edge function to do what is necessary.
How?
