feat(auth): rate limit feedback, audit log UI, and E2E tests

Rate-limiting feedback: - LoginPage detects 429/account-locked errors and shows countdown timer - Submit button disabled during cooldown period Audit log: - GET /auth/security-events endpoint (JWT-protected) in auth controller - getSecurityEvents() in BetterAuthService + shared-auth client - AuditLog component with event type labels, relative dates, UA parsing - Integrated in ManaCore settings page E2E tests (passkey-2fa.e2e-spec.ts): - Passkey registration/authentication flow tests - Auth guard enforcement (protected vs public endpoints) - 2FA passthrough route existence tests - Edge cases (cross-user access, missing fields, token shape) CSRF note: Already covered by Better Auth (SameSite + HttpOnly + Trusted Origins). Token refresh already has 4-retry + offline detection. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-05-17 16:29:40 +02:00 · 2026-03-26 21:58:56 +01:00 · 2026-03-26 21:58:56 +01:00 · 0dfd603892
commit 0dfd603892
parent 11ab265d55
9 changed files with 1061 additions and 2 deletions
--- a/packages/shared-auth/src/core/authService.ts
+++ b/packages/shared-auth/src/core/authService.ts
@ -778,6 +778,25 @@ export function createAuthService(config: AuthServiceConfig) {
 			}
 		},

+		/**
+		 * Get security events (audit log)
+		 */
+		async getSecurityEvents(limit = 50): Promise<any[]> {
+			try {
+				const appToken = await service.getAppToken();
+				if (!appToken) return [];
+
+				const res = await fetch(`${baseUrl}/api/v1/auth/security-events?limit=${limit}`, {
+					headers: { Authorization: `Bearer ${appToken}` },
+				});
+
+				if (!res.ok) return [];
+				return await res.json();
+			} catch {
+				return [];
+			}
+		},
+
 		/**
 		 * Get the current app token
 		 */