Oleksandr Bezdieniezhnykh
4bf2e689cb
AZ-556 collapses every /login rejection (unknown email, wrong password, disabled account, lockout, per-account rate limit) to a single opaque InvalidCredentials (70) → 401 response. Timing equalised by a new Security.VerifyDummy using the same Argon2id parameters. Audit log keeps the rejection category internally (login_failed_unknown_email, login_failed_disabled). AZ-557 wires /login/mfa into the existing per-account lockout + rate-limit pipeline. MFA failures now feed UserService's shared failure accounting (RegisterMfaFailedLogin → RegisterFailedLoginCore) and CountRecentFailedLogins aggregates both login_failed and mfa_login_failed rows. Successful TOTP / recovery resets the counter. Deprecated five legacy ExceptionEnum members (NoEmailFound, WrongPassword, UserDisabled, AccountLocked, LoginRateLimited) — kept defined for cross-workspace verifier compatibility during the deprecation window. E2E coverage updated: AuthTests (byte-identical body assertion + disabled-account audit row), LoginRateLimitTests, PasswordHashingTests, SecurityTests, plus four new MfaLoginTests (AC1, AC2, AC5, AC7). Code review verdict: PASS_WITH_WARNINGS (batch_06_cycle2_review.md). Co-authored-by: Cursor <cursoragent@cursor.com>
Azaion Admin API — black-box E2E tests
Run (Docker)
From the repository root:
docker compose -f docker-compose.test.yml up --build --abort-on-container-exit --exit-code-from e2e-consumer
Reports are written to e2e/test-results/ on the host (results.trx, results.xunit.xml).
Database bootstrap
The stock Postgres entrypoint runs every file in /docker-entrypoint-initdb.d/ against POSTGRES_DB only. The scripts under env/db/ expect different databases (postgres vs azaion), so e2e/db-init/00_run_all.sh runs 01_permissions.sql on postgres, then 02_structure.sql, 03_add_timestamp_columns.sql, and 99_test_seed.sql on azaion. The compose file uses POSTGRES_USER=postgres so 01_permissions.sql can create roles and the azaion database as written.
99_test_seed.sql sets azaion_admin / azaion_reader passwords to test_password (matching the API connection strings) and updates seed user password hashes for Admin1234 and Upload1234.
Local dotnet test (without Docker)
appsettings.test.json targets http://system-under-test:8080. Running tests on the host will fail fixture setup unless you override ApiBaseUrl (for example via environment variables) and run the API plus Postgres yourself.