# Module: Azaion.Common.Configs.AuthConfig ## Purpose Configuration POCO bundling the per-IP / per-account login rate-limit knobs and the consecutive-failure account-lockout policy. Bound from `appsettings.json` section `AuthConfig`. > Added in cycle 2 (2026-05-14) by AZ-537 (Epic AZ-530, CMMC AC.L2-3.1.8). ## Public Interface ### AuthConfig | Property | Type | Description | |----------|------|-------------| | `RateLimit` | `RateLimitOptions` | Per-IP and per-account login rate-limit windows. | | `Lockout` | `LockoutOptions` | Consecutive-failure threshold and lockout duration. | ### RateLimitOptions | Property | Type | Default | Description | |----------|------|---------|-------------| | `PerIpPermitLimit` | `int` | 10 | Allowed login attempts per IP per `PerIpWindowSeconds`. Enforced by ASP.NET Core's built-in sliding-window limiter on `/login` (and `/login/mfa`). | | `PerIpWindowSeconds` | `int` | 60 | Window length for the per-IP limiter. | | `PerAccountPermitLimit` | `int` | 5 | Allowed *failed* login attempts per email per `PerAccountWindowSeconds`. Enforced by `UserService.ValidateUser` against `AuditLog.CountRecentFailedLogins`. | | `PerAccountWindowSeconds` | `int` | 300 | Window length for the per-account limiter (5 min). | ### LockoutOptions | Property | Type | Default | Description | |----------|------|---------|-------------| | `MaxAttempts` | `int` | 10 | Consecutive failed logins that trigger lockout. Counter lives on `users.failed_login_count`. | | `DurationSeconds` | `int` | 900 | Lockout duration (15 min). Sets `users.lockout_until = now() + DurationSeconds`. | ## Internal Logic None — pure data class. ## Dependencies None. ## Consumers - `Program.cs` — registers via `builder.Services.Configure(...)` and reads it eagerly to build the per-IP `SlidingWindowLimiter` partition. - `UserService.ValidateUser` — reads `RateLimit.PerAccountPermitLimit` / `PerAccountWindowSeconds` for the per-account rate limit and `Lockout.MaxAttempts` / `DurationSeconds` for lockout enforcement. ## Data Models None. ## Configuration Bound via `builder.Configuration.GetSection(nameof(AuthConfig))`. Override via env vars like `AuthConfig__Lockout__MaxAttempts=15`. ## External Integrations None. ## Security - Per-IP limit is in-memory (process-local); a multi-instance admin deployment would either need sticky-sessions on `/login` or a Redis-backed limiter (called out as a known upgrade path in `_docs/05_security/security_report.md`). - Per-account limit is DB-backed (via `audit_events`) so it survives process restarts and is consistent across instances. - Lockout precedence: a locked account returns 423 Locked even for a correct password until `lockout_until` passes (CMMC AC.L2-3.1.8 requires this). ## Tests - `e2e/Azaion.E2E/Tests/RateLimitLockoutTests.cs` — covers AC-1..AC-6 of AZ-537 with the default values from this config.