feat(auth): add audit logging, account lockout, and API key rate limiting

1. SecurityEventsService: Centralized audit logging for all auth events (login, register, logout, password changes, API key operations, SSO token exchange, etc.). Fire-and-forget pattern ensures auth flows are never blocked by logging failures. 2. AccountLockoutService: Locks accounts after 5 failed login attempts within 15 minutes. 30-minute lockout duration. Fails open on DB errors. Clears attempts on successful login. Email-not-verified does not count as a failed attempt. 3. API Key validation endpoint secured with rate limiting (10 req/min per IP via ThrottlerGuard) and audit logging. Key prefixes logged for forensics, never full keys. New schema: auth.login_attempts table for tracking failed logins. 174 tests passing across all auth and security modules. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-05-23 05:06:41 +02:00 · 2026-03-19 22:09:58 +01:00 · 2026-03-19 22:09:58 +01:00 · f7df8e97aa
commit f7df8e97aa
parent effa57fd61
14 changed files with 700 additions and 68 deletions
--- a/services/mana-core-auth/src/app.module.ts
+++ b/services/mana-core-auth/src/app.module.ts
@ -21,6 +21,7 @@ import { AnalyticsModule } from './analytics';
 import { MetricsModule } from './metrics';
 import { HttpExceptionFilter } from './common/filters/http-exception.filter';
 import { LoggerModule } from './common/logger';
+import { SecurityModule } from './security';

@Module({
 	imports: [
@ -35,6 +36,7 @@ import { LoggerModule } from './common/logger';
 			},
 		]),
 		LoggerModule,
+		SecurityModule,
 		MetricsModule,
 		AnalyticsModule,
 		AdminModule,