Not easily, as /login is hardcoded in a couple places in the codebase. To combat these types of attacks, we introduce a delay when logging in that somewhat matches the bcrypt runtime. You could always edit the codebase to increase the delay some more, but what I'd recommend is setting up spam-be-gone so these requests are curbed before it hits bcrypt.
Yes. bcrypt is processor intensive by design (that's what makes it so good as a password hashing algorithm, but I am no expert).
@GarrettBryan the domain is correctly routed.
The only problem is at login/registration.
And I tried with the domain only too.
I wonder if is not a problem with the server time @PitaJ
Initially I login on localhost, which works correctly.
Then on Heroku could fail because the server is on a different time zone?