Adds rate limiting to the user class

app/classes/user.php

@@ -10,6 +10,7 @@ class User {
      * @var PDO|null $db The database connection instance.
      */
     private $db;
+    private $ratelimiter;
 
     /**
      * User constructor.
@@ -19,6 +20,7 @@ class User {
      */
     public function __construct($database) {
         $this->db = $database->getConnection();
+        $this->ratelimiter = new RateLimiter($database);
     }
 
 
@@ -88,6 +90,15 @@ class User {
      * @return bool True if login is successful, false otherwise.
      */
     public function login($username, $password) {
+        // get client IP address
+        $ipAddress = $_SERVER['REMOTE_ADDR'] ?? '0.0.0.0';
+
+        // check rate limiting
+        if (!$this->rateLimiter->attempt($username, $ipAddress)) {
+            $remainingTime = $this->rateLimiter->getDecayMinutes();
+            throw new Exception("Too many login attempts. Please try again in {$remainingTime} minutes.");
+        }
+
         $query = $this->db->prepare("SELECT * FROM users WHERE username = :username");
         $query->bindParam(':username', $username);
         $query->execute();
@@ -97,8 +108,15 @@ class User {
             $_SESSION['user_id'] = $user['id'];
             $_SESSION['username'] = $user['username'];
             return true;
+        }
+
+        // Login failed, return remaining attempts info
+        $remainingAttempts = $this->rateLimiter->getRemainingAttempts($username, $ipAddress);
+        if ($remainingAttempts > 0) {
+            throw new Exception("Invalid credentials. {$remainingAttempts} attempts remaining.");
         } else {
-            return false;
+            $remainingTime = $this->rateLimiter->getDecayMinutes();
+            throw new Exception("Too many login attempts. Please try again in {$remainingTime} minutes.");
         }
     }