- nginx rate limiting — limit_req_zone at http level; dedicated location = blocks for /token/pair (10/min, burst 5) and /register (3/min, burst 2), each with full CORS and proxy headers.
 - Timing attack (mwmbl/auth.py) — when no user is found, calls UserModel().check_password(password) to burn the same time as a real password check.
 - API key hashing — generate_api_key() in models.py returns (raw_key, hash); search_auth.py hashes the incoming key before lookup; platform/api.py stores the hash and returns the raw key once; migration 0021 hashes all existing keys. Existing key holders will need to regenerate their keys after this migration runs.
 - Rate limiter race (quota.py) — if incr creates a new key without a TTL (the race case), we immediately set a 1-second expiry via the Redis connection.