Skip to content

Title: Add account lockout after repeated failed login attempts #69

Description

@Uyoxy

Labels: enhancement security

Description

src/modules/auth/auth.service.ts has no protection against brute
force login attempts. Without lockout, attackers can try unlimited
password combinations.

Implementation Requirements

  • Track failed login attempts in src/modules/auth/auth.service.ts
  • Add failedLoginAttempts and lockedUntil fields to src/modules/users/user.entity.ts
  • Return 423 status when account is locked with unlock time
  • Lock after 5 failed attempts, unlock after 15 minutes
  • Add unit tests

Acceptance Criteria

  • Account locks after 5 failed login attempts
  • Locked account returns 423 with unlock time
  • Successful login resets failed attempt counter
  • Unit tests pass
  • CI checks pass before PR is merged

Evidence Required

Contributors must provide ALL of the following:

  • Screenshot of server running with npm run start:dev
  • Screenshot showing 423 response after 5 failed attempts
  • Screenshot of unit tests passing
  • Screenshot of passing CI checks on the PR

Files Affected

  • src/modules/auth/auth.service.ts (modify)
  • src/modules/users/user.entity.ts (modify)
  • src/modules/auth/auth.service.spec.ts (modify)

Metadata

Metadata

Assignees

Labels

GrantFox OSSIssue tracked in GrantFox OSSMaybe RewardedIssue may be eligible for a GrantFox rewardOfficial CampaignCampaign: Official Campaign

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions