Follow-up to #956 (auth hardening review). Missing tests on existing behavior.
Context
#956 added 14 unit tests for BruteForceDetector. Still uncovered: the full lockout lifecycle through the real login path (security-audit-plugin audit middleware on POST /auth/login).
Proposed coverage
- Integration/E2E: N failed
POST /auth/login → subsequent login returns the locked response (IP and email axes).
- Successful login resets the failed-attempt counter.
- Lock auto-clears after
lockoutDurationMinutes (or via the admin force-unlock action in the security-audit admin UI).
- Admin "active lockouts" list + release action covered.
Acceptance
- E2E spec (88+) drives the lockout through real login requests and the admin unlock path.
Follow-up to #956 (auth hardening review). Missing tests on existing behavior.
Context
#956 added 14 unit tests for
BruteForceDetector. Still uncovered: the full lockout lifecycle through the real login path (security-audit-pluginaudit middleware onPOST /auth/login).Proposed coverage
POST /auth/login→ subsequent login returns the locked response (IP and email axes).lockoutDurationMinutes(or via the admin force-unlock action in the security-audit admin UI).Acceptance