mirror of
https://github.com/azaion/admin.git
synced 2026-06-21 13:31:08 +00:00
Oleksandr Bezdieniezhnykh
4bf2e689cb
AZ-556 collapses every /login rejection (unknown email, wrong password, disabled account, lockout, per-account rate limit) to a single opaque InvalidCredentials (70) → 401 response. Timing equalised by a new Security.VerifyDummy using the same Argon2id parameters. Audit log keeps the rejection category internally (login_failed_unknown_email, login_failed_disabled). AZ-557 wires /login/mfa into the existing per-account lockout + rate-limit pipeline. MFA failures now feed UserService's shared failure accounting (RegisterMfaFailedLogin → RegisterFailedLoginCore) and CountRecentFailedLogins aggregates both login_failed and mfa_login_failed rows. Successful TOTP / recovery resets the counter. Deprecated five legacy ExceptionEnum members (NoEmailFound, WrongPassword, UserDisabled, AccountLocked, LoginRateLimited) — kept defined for cross-workspace verifier compatibility during the deprecation window. E2E coverage updated: AuthTests (byte-identical body assertion + disabled-account audit row), LoginRateLimitTests, PasswordHashingTests, SecurityTests, plus four new MfaLoginTests (AC1, AC2, AC5, AC7). Code review verdict: PASS_WITH_WARNINGS (batch_06_cycle2_review.md). Co-authored-by: Cursor <cursoragent@cursor.com>
17 lines
295 B
Markdown
17 lines
295 B
Markdown
# Autodev State
|
|
|
|
## Current Step
|
|
flow: existing-code
|
|
step: 10
|
|
name: Implement
|
|
status: in_progress
|
|
sub_step:
|
|
phase: 11
|
|
name: commit
|
|
detail: "batch 6 of 6"
|
|
leftovers_to_replay:
|
|
- _docs/_process_leftovers/2026-05-14_suite_infra_jwt_secret_drift.md
|
|
retry_count: 0
|
|
cycle: 2
|
|
tracker: jira
|