Labels: enhancement security
Description
src/modules/auth/auth.service.ts has no protection against brute
force login attempts. Without lockout, attackers can try unlimited
password combinations.
Implementation Requirements
- Track failed login attempts in
src/modules/auth/auth.service.ts
- Add
failedLoginAttempts and lockedUntil fields to src/modules/users/user.entity.ts
- Return 423 status when account is locked with unlock time
- Lock after 5 failed attempts, unlock after 15 minutes
- Add unit tests
Acceptance Criteria
Evidence Required
Contributors must provide ALL of the following:
Files Affected
src/modules/auth/auth.service.ts (modify)
src/modules/users/user.entity.ts (modify)
src/modules/auth/auth.service.spec.ts (modify)
Labels: enhancement security
Description
src/modules/auth/auth.service.tshas no protection against bruteforce login attempts. Without lockout, attackers can try unlimited
password combinations.
Implementation Requirements
src/modules/auth/auth.service.tsfailedLoginAttemptsandlockedUntilfields tosrc/modules/users/user.entity.tsAcceptance Criteria
Evidence Required
Contributors must provide ALL of the following:
npm run start:devFiles Affected
src/modules/auth/auth.service.ts(modify)src/modules/users/user.entity.ts(modify)src/modules/auth/auth.service.spec.ts(modify)