till/managarten
1
0
Fork 0
mirror of https://github.com/Memo-2023/mana-monorepo.git synced 2026-05-19 10:01:23 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions 6

feat(auth): add audit logging, account lockout, and API key rate limiting

Browse source 
1. SecurityEventsService: Centralized audit logging for all auth events
   (login, register, logout, password changes, API key operations, SSO
   token exchange, etc.). Fire-and-forget pattern ensures auth flows
   are never blocked by logging failures.

2. AccountLockoutService: Locks accounts after 5 failed login attempts
   within 15 minutes. 30-minute lockout duration. Fails open on DB
   errors. Clears attempts on successful login. Email-not-verified
   does not count as a failed attempt.

3. API Key validation endpoint secured with rate limiting (10 req/min
   per IP via ThrottlerGuard) and audit logging. Key prefixes logged
   for forensics, never full keys.

New schema: auth.login_attempts table for tracking failed logins.
174 tests passing across all auth and security modules.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
Till JS 2026-03-19 22:09:58 +01:00
parent effa57fd61
commit f7df8e97aa
14 changed files with 700 additions and 68 deletions
Download patch file Download diff file Expand all files Collapse all files

2
services/mana-core-auth/src/api-keys/api-keys.module.ts
View file

@ -1,8 +1,10 @@
import { Module } from '@nestjs/common';
import { ApiKeysController } from './api-keys.controller';
import { ApiKeysService } from './api-keys.service';
import { SecurityModule } from '../security';
@Module({
imports: [SecurityModule],
controllers: [ApiKeysController],
providers: [ApiKeysService],
exports: [ApiKeysService],