Skip to content
This repository was archived by the owner on Jun 19, 2026. It is now read-only.

feat: add login anomaly detection and suspicious activity alerts (closes #124)#150

Open
technologicsingularity wants to merge 1 commit into
rohitdash08:mainfrom
technologicsingularity:feat/login-anomaly-detection-124
Open

feat: add login anomaly detection and suspicious activity alerts (closes #124)#150
technologicsingularity wants to merge 1 commit into
rohitdash08:mainfrom
technologicsingularity:feat/login-anomaly-detection-124

Conversation

@technologicsingularity

Copy link
Copy Markdown

Summary

What's included

New service: app/services/security.py

Feature Detail
Brute-force protection Block IP after 5 failed attempts (Redis, 10-min TTL) → HTTP 429
Login event tracking Store last 10 logins per user in Redis (30-day TTL) with IP + timestamp
Unusual hour detection Alert on logins 01:00–05:00 UTC via security_alert field
Audit logging login_success, login_failed, brute_force_blocked written to AuditLog

Modified: POST /auth/login

1. is_brute_force(ip, email)? → 429 {"error": "too_many_attempts"}
2. Bad credentials? → record_failed_login() + AuditLog → 401
3. Success → reset_failure_count() + store_login_event() + AuditLog
4. Unusual hour? → append "security_alert" to response JSON

New endpoint: GET /auth/security-events

JWT-protected. Returns last 10 login events for the authenticated user:

{
  "events": [
    {"ip": "192.168.1.1", "hour": 14, "timestamp": "2026-02-20T14:32:00+00:00"}
  ]
}

Modified: app/models.py

  • Added ip_address (String 45) and details (Text) columns to AuditLog for richer security event tracking

Example: Login with security alert

{
  "access_token": "...",
  "refresh_token": "...",
  "security_alert": "Login detected at unusual hour (02:34 UTC)"
}

Validation

  • Backend tests: 27 new tests, all 52 tests passing (./scripts/test-backend.sh)
  • No regressions in existing test suite
  • Covers: 401 bad creds, 400 missing fields, 429 brute force, counter reset, Redis TTL, unusual hour alert, security-events endpoint, audit log entries

Security and Ownership

  • PR opened from a fork (not direct push to main)

Checklist

  • No secrets added
  • No unrelated files changed
  • Production ready — all security functions handle Redis/DB errors gracefully

…sh08#124)

Detect unusual login behavior and alert users via response payload.

- Brute force protection: block IP after 5 failed attempts (Redis, 10min TTL)
- Login event tracking: store last 10 logins per user in Redis (30-day TTL)
- Unusual hour detection: warn on logins between 01:00-05:00 UTC
- New GET /auth/security-events endpoint: returns recent login history
- AuditLog extended with ip_address and details columns
- Logs login_success, login_failed, brute_force_blocked events

Tests: 27 new tests covering brute force, rate limiting, anomaly
detection, security events endpoint, audit logging
@rohitdash08

Copy link
Copy Markdown
Owner

@technologicsingularity, can you please share your discord or connect me over discord to discuss this further?

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants