admin

azaion/admin

Fork 0

mirror of https://github.com/azaion/admin.git synced 2026-06-21 17:11:09 +00:00

Commit Graph

Author	SHA1	Message	Date
Oleksandr Bezdieniezhnykh	4bf2e689cb	[AZ-556] [AZ-557] Unify login errors + share MFA lockout pipeline AZ-556 collapses every /login rejection (unknown email, wrong password, disabled account, lockout, per-account rate limit) to a single opaque InvalidCredentials (70) → 401 response. Timing equalised by a new Security.VerifyDummy using the same Argon2id parameters. Audit log keeps the rejection category internally (login_failed_unknown_email, login_failed_disabled). AZ-557 wires /login/mfa into the existing per-account lockout + rate-limit pipeline. MFA failures now feed UserService's shared failure accounting (RegisterMfaFailedLogin → RegisterFailedLoginCore) and CountRecentFailedLogins aggregates both login_failed and mfa_login_failed rows. Successful TOTP / recovery resets the counter. Deprecated five legacy ExceptionEnum members (NoEmailFound, WrongPassword, UserDisabled, AccountLocked, LoginRateLimited) — kept defined for cross-workspace verifier compatibility during the deprecation window. E2E coverage updated: AuthTests (byte-identical body assertion + disabled-account audit row), LoginRateLimitTests, PasswordHashingTests, SecurityTests, plus four new MfaLoginTests (AC1, AC2, AC5, AC7). Code review verdict: PASS_WITH_WARNINGS (batch_06_cycle2_review.md). Co-authored-by: Cursor <cursoragent@cursor.com>	2026-05-14 09:56:00 +03:00
Oleksandr Bezdieniezhnykh	1e1ded73f5	[AZ-534] TOTP-based 2FA at credential login ci/woodpecker/push/01-test Pipeline failed Details ci/woodpecker/push/02-build-push unknown status Details Add RFC 6238 TOTP enrollment, two-step /login flow, recovery codes, and the amr=["pwd","mfa"] claim that propagates through refresh-token rotation. - New endpoints: /users/me/mfa/{enroll,confirm,disable} and /login/mfa. - /login short-circuits to a 5-min ES256 step-1 token (audience-pinned azaion-mfa-step2) when the user has MFA enabled; real access+refresh pair is minted only after /login/mfa. - mfa_secret encrypted at rest via ASP.NET Core IDataProtector (purpose=Azaion.Mfa.Secret.v1; key folder configurable via DataProtection:KeysFolder for production persistence). - Recovery codes (10 single-use, base32, ~80-bit entropy) hashed with SHA-256 and stored as JSONB; constant-time compare on lookup. - RFC 6238 §5.2 replay defense via mfa_last_used_window per user. - Sessions carry mfa_authenticated so /token/refresh re-stamps the amr claim correctly across the entire 30-day refresh window. - New audit events: enroll, confirm, disable, login-success/failed, recovery-used. - Schema: env/db/10_users_mfa.sql adds users.mfa_* columns and sessions.mfa_authenticated; mfa_recovery_codes mapped as BinaryJson in AzaionDbSchemaHolder; disable path uses raw parameterised SQL to avoid LinqToDB null-literal type-inference on jsonb columns. E2E: 6 new tests in MfaLoginTests cover all six AC; full suite 82 passed / 0 failed / 3 intentional skips. Co-authored-by: Cursor <cursoragent@cursor.com>	2026-05-14 06:21:28 +03:00

Author

SHA1

Message

Date

Oleksandr Bezdieniezhnykh

4bf2e689cb

[AZ-556] [AZ-557] Unify login errors + share MFA lockout pipeline

AZ-556 collapses every /login rejection (unknown email, wrong password,
disabled account, lockout, per-account rate limit) to a single opaque
InvalidCredentials (70) → 401 response. Timing equalised by a new
Security.VerifyDummy using the same Argon2id parameters. Audit log keeps
the rejection category internally (login_failed_unknown_email,
login_failed_disabled).

AZ-557 wires /login/mfa into the existing per-account lockout +
rate-limit pipeline. MFA failures now feed UserService's shared failure
accounting (RegisterMfaFailedLogin → RegisterFailedLoginCore) and
CountRecentFailedLogins aggregates both login_failed and
mfa_login_failed rows. Successful TOTP / recovery resets the counter.

Deprecated five legacy ExceptionEnum members (NoEmailFound,
WrongPassword, UserDisabled, AccountLocked, LoginRateLimited) — kept
defined for cross-workspace verifier compatibility during the
deprecation window.

E2E coverage updated: AuthTests (byte-identical body assertion +
disabled-account audit row), LoginRateLimitTests, PasswordHashingTests,
SecurityTests, plus four new MfaLoginTests (AC1, AC2, AC5, AC7).

Code review verdict: PASS_WITH_WARNINGS (batch_06_cycle2_review.md).

Co-authored-by: Cursor <cursoragent@cursor.com>

2026-05-14 09:56:00 +03:00

Oleksandr Bezdieniezhnykh

1e1ded73f5

[AZ-534] TOTP-based 2FA at credential login

ci/woodpecker/push/01-test Pipeline failed

Details

ci/woodpecker/push/02-build-push unknown status

Details

Add RFC 6238 TOTP enrollment, two-step /login flow, recovery codes, and
the amr=["pwd","mfa"] claim that propagates through refresh-token rotation.

- New endpoints: /users/me/mfa/{enroll,confirm,disable} and /login/mfa.
- /login short-circuits to a 5-min ES256 step-1 token (audience-pinned
  azaion-mfa-step2) when the user has MFA enabled; real access+refresh
  pair is minted only after /login/mfa.
- mfa_secret encrypted at rest via ASP.NET Core IDataProtector
  (purpose=Azaion.Mfa.Secret.v1; key folder configurable via
  DataProtection:KeysFolder for production persistence).
- Recovery codes (10 single-use, base32, ~80-bit entropy) hashed with
  SHA-256 and stored as JSONB; constant-time compare on lookup.
- RFC 6238 §5.2 replay defense via mfa_last_used_window per user.
- Sessions carry mfa_authenticated so /token/refresh re-stamps the
  amr claim correctly across the entire 30-day refresh window.
- New audit events: enroll, confirm, disable, login-success/failed,
  recovery-used.
- Schema: env/db/10_users_mfa.sql adds users.mfa_* columns and
  sessions.mfa_authenticated; mfa_recovery_codes mapped as BinaryJson
  in AzaionDbSchemaHolder; disable path uses raw parameterised SQL to
  avoid LinqToDB null-literal type-inference on jsonb columns.

E2E: 6 new tests in MfaLoginTests cover all six AC; full suite
82 passed / 0 failed / 3 intentional skips.

Co-authored-by: Cursor <cursoragent@cursor.com>

2026-05-14 06:21:28 +03:00

2 Commits