Skip to content

Account lockout: login-path integration + admin unlock tests #959

Description

@lane711

Follow-up to #956 (auth hardening review). Missing tests on existing behavior.

Context

#956 added 14 unit tests for BruteForceDetector. Still uncovered: the full lockout lifecycle through the real login path (security-audit-plugin audit middleware on POST /auth/login).

Proposed coverage

  • Integration/E2E: N failed POST /auth/login → subsequent login returns the locked response (IP and email axes).
  • Successful login resets the failed-attempt counter.
  • Lock auto-clears after lockoutDurationMinutes (or via the admin force-unlock action in the security-audit admin UI).
  • Admin "active lockouts" list + release action covered.

Acceptance

  • E2E spec (88+) drives the lockout through real login requests and the admin unlock path.

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementNew feature or requestsecuritySecurity vulnerabilities

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions