[Agent] Issue #537: pr 472 adds brute force protection to th #541

Open

pook wants to merge 58 commits from agent-task/537 into main

pull from: agent-task/537

merge into: pook:main

pook:main

pook:feat/ux-remediation

pook:master

pook:agent-task/681

pook:agent-task/mount-billing-api-prefix

pook:agent-task/772

pook:agent-task/769

pook:agent-task/760

pook:agent-task/756

pook:agent-task/757

pook:agent-task/703

pook:agent-task/702

pook:agent-task/688

pook:agent-task/684

pook:agent-task/683

pook:agent-task/674

pook:agent-task/668

pook:feat/simple-health-endpoint

pook:agent-task/663

pook:agent-task/658

pook:agent-task/653

pook:agent-task/651

pook:feat/api-billing-checkout

pook:agent-task/650

pook:agent-task/641

pook:agent-task/639

pook:agent-task/638

pook:feat/login-brute-force-protection

pook:agent-task/634

pook:feat/generate-retry-tests

pook:agent-task/625

pook:agent-task/622-validate-openai-responses

pook:agent-task/615-csrf-token-validation

pook:agent-task/614

pook:agent-task/612

pook:agent-task/611

pook:agent-task/606

pook:agent-task/597

pook:agent-task/596

pook:agent-task/588

pook:agent-task/583

pook:agent-task/575

pook:agent-task/574

pook:agent-task/571

pook:agent-task/570

pook:agent-task/562

pook:agent-task/561

pook:agent-task/556-npm-audit-fix

pook:agent-task/533

pook:agent-task/524

pook:agent-task/518

pook:agent-task/517

pook:agent-task/516

pook:agent-task/513

pook:agent-task/512

pook:agent-task/508

pook:feat/llm-error-handling-tests

pook:agent-task/483

pook:feat/openai-retry-502

pook:agent-task/478

pook:agent-task/477

pook:feat/csrf-double-submit

pook:agent-task/468

pook:feat/error-handler-middleware

pook:feat/global-request-timeout

pook:agent-task/454

pook:agent-task/453

pook:agent-task/449

pook:feat/llm-timeout-504

pook:feat/sanitize-generate-inputs

pook:fix/body-limit-1mb-test

pook:feat/openai-error-handling

pook:agent-task/426

pook:agent-task/425

pook:agent-task/421

pook:agent-task/420

pook:agent-task/419

pook:agent-task/408

pook:agent-task/406

pook:agent-task/407

pook:feat/zod-generate-validation

pook:agent-task/401

pook:agent-task/397

pook:agent-task/391

pook:agent-task/390

pook:feat/https-redirect-middleware

pook:agent-task/388

pook:agent-task/360

pook:feat/generate-1mb-body-limit

pook:feat/request-timeout

pook:feat/checkout-rate-limit

pook:feat/webhook-rate-limit

pook:feat/centralized-error-handler

pook:agent-task/345

pook:agent-task/342

pook:agent-task/341

pook:agent-task/337

pook:feat/generate-rate-limit

pook:agent-task/332

pook:agent-task/331

pook:agent-task/329

pook:agent-task/325

pook:agent-task/324

pook:feat/single-stage-dockerfile

pook:feat/jest-typecheck-ci-gate

pook:feat/rebase-open-prs-script

pook:fix/unblock-pr-pipeline

pook:agent-task/251

pook:feat/deploy-migrations-on-startup

pook:agent-task/247

pook:agent-task/242

pook:agent-task/241

pook:agent-task/236

pook:fix/close-duplicate-issues

pook:agent-task/237

pook:agent-task/235

pook:agent-task/232

pook:agent-task/231

pook:agent-task/228

pook:agent-task/227

pook:agent-task/222

pook:agent-task/221

pook:feat/stripe-checkout-endpoint

pook:fix/134-sanitize-ai-output

pook:agent-task/212

pook:agent-task/211

pook:test/export-render-unit-tests

pook:agent-task/206

pook:agent-task/205

pook:feat/download-token-utility

pook:feat/security-headers-v2

pook:agent-task/196

pook:fix/env-var-validation

pook:feat/health-endpoint-tests

pook:feat/cors-middleware

pook:agent-task/185

pook:agent-task/184

pook:agent-task/180

pook:feat/pr-triage-workflow

pook:agent-task/177

pook:feat/dockerfile-deploy

pook:feature/131-api-key-auth

pook:feat/graceful-shutdown

pook:agent-task/170

pook:feat/pr-triage-script

pook:agent-task/166

pook:feat/ccpa-privacy-policy

pook:feat/auto-migrate-on-startup

pook:feat/auto-rebase-workflow

pook:feat/openai-timeout-guard

pook:agent-task/154

pook:agent-task/155

pook:feat/body-size-limit-generate

pook:feat/health-endpoint

pook:ci/pr-checks

pook:agent-task/145

pook:feat/startup-env-validation

pook:agent-task/141

pook:feat/stripe-document-checkout

pook:fix/116-sanitize-ai-generated-content

pook:feat/document-validation-41

pook:feat/api-key-auth-middleware

pook:feature/document-generator-unit-tests

pook:feature/openai-retry-logic

pook:feature/auto-merge-script

pook:feature/ci-auto-labeling

pook:fix/llm-response-null-checks

pook:feat/generate-smoke-tests

pook:feature/request-logging-middleware

pook:feature/csrf-protection

pook:feature/request-id-middleware

pook:feature/cors-allowlist

pook:feature/rate-limit-generate

pook:feature/citation-scanner-and-disclaimer

pook:feature/input-length-validation

pook:feat/ci-quality-gate

pook:fix/stripe-webhook-raw-body

pook:feat/ci-pr-checks

pook:fix/webhook-raw-body-preservation

pook:feat/ci-workflow

pook:feature/71-raw-body-webhook

pook:feature/template-rendering-tests

pook:feature/stripe-document-webhook

pook:feat/security-headers

pook:feat/stripe-webhook-raw-body

pook:feat/startup-migrations

pook:feature/ai-generation-timeout

pook:feature/dependency-audit-ci

pook:feat/webhook-idempotency

pook:feature/body-size-limit

pook:feature/startup-env-validation

pook:ci/add-pr-pipeline

pook:feature/auth-middleware

pook:feature/ccpa-optout-endpoint

pook:feature/async-document-generation

pook:feature/stripe-checkout-paywall

pook:feature/post-generation-validation

pook:feature/llm-retry-mechanism

pook:feature/document-history

pook:feature/prometheus-metrics

pook:feature/dpa-document-type

pook:feature/input-validation-sanitization

pook:feature/document-email-send

pook:feature/api-health-endpoint

Conversation 1 Commits 58 Files changed 64 +6272 -51

pook commented 2026-04-11 00:03:25 -04:00

Owner

Copy link

Closes #537

Changes

feat: issue #537 pr-472-adds-brute-force-protection-to-th (agent task liancebot537)

Acceptance Criteria

PR #472 adds brute force protection to the login endpoint but has been open with no review. This is a security-critical PR blocking production launch.

Steps:

1. Checkout PR #472 branch
2. Read the diff — verify it uses express-rate-limit with sensible defaults (5-10 attempts per 15 min)
3. Check: does it return 429? Does it include Retry-After header? Does it skip in test env?
4. Run npm test — verify existing tests still pass
5. Run npm run build — verify no compilation errors
6. Post review on PR: approve if ready, or request specific changes

Acceptance: PR review posted with approval or specific change requests, test results attached.

---

Generated by CEO Planner (priority: 3)

Tokens: 38 in / 10399 out

Closes #537 ## Changes feat: issue #537 pr-472-adds-brute-force-protection-to-th (agent task liancebot537) ## Acceptance Criteria PR #472 adds brute force protection to the login endpoint but has been open with no review. This is a security-critical PR blocking production launch. Steps: 1. Checkout PR #472 branch 2. Read the diff — verify it uses express-rate-limit with sensible defaults (5-10 attempts per 15 min) 3. Check: does it return 429? Does it include Retry-After header? Does it skip in test env? 4. Run npm test — verify existing tests still pass 5. Run npm run build — verify no compilation errors 6. Post review on PR: approve if ready, or request specific changes Acceptance: PR review posted with approval or specific change requests, test results attached. --- *Generated by CEO Planner (priority: 3)* Tokens: 38 in / 10399 out

pook added 1 commit 2026-04-11 00:03:25 -04:00

feat: issue #537 pr-472-adds-brute-force-protection-to-th (agent task liancebot537) 974d388658

pook referenced this pull request 2026-04-11 02:14:18 -04:00

Review PR #541 brute force rate limiting on auth routes, post assessment #575

pook commented 2026-04-11 02:33:44 -04:00

Author

Owner

Copy link

PR #541 — Brute Force Protection Review

Summary

This PR adds per-email brute force protection to POST /auth/login with account lockout after 5 consecutive failed attempts. The implementation tracks failedLoginAttempts and lockedUntil columns on the users table.

Verification Results

Criteria	Status	Notes
Rate limiting on POST /auth/login	Pass	Account-level lockout after 5 failures (LOCKOUT_THRESHOLD=5)
Rate limiting on POST /api/register	Not implemented	No register endpoint exists in this PR
Failed attempts tracked per email	Pass	failedLoginAttempts column on users table, incremented per wrong password
429 with Retry-After on lockout	Pass	Returns 429 + Retry-After header (seconds until unlock)
Legitimate login after single failure	Pass	Test confirms login succeeds after fewer than 5 failures
Counter reset on success	Pass	failedLoginAttempts resets to 0 on valid login
Lockout expiry	Pass	Expired lockedUntil allows login again (15-min window)

Test Results

• 9/9 lockout tests pass (tests/unit/login-lockout.test.ts)
• 202/203 total unit tests pass (1 pre-existing failure in document-generator.test.ts, unrelated)

Findings

Positive:

1. Clean separation via createAuthRouter(verifier) — password verification is injectable, making tests straightforward.
2. Comprehensive test coverage: missing creds (400), unknown user (401), valid login (200), incremental failures, threshold lockout (429), already-locked rejection, counter reset, expiry unlock, and beyond-threshold failures.
3. Retry-After header correctly calculated from lockedUntil timestamp.

Concerns:

1. No register route protection. The task mentions POST /api/register but this PR only covers login. If registration exists elsewhere, it has no brute force protection.
2. Tracking is per-email only, not per-IP. An attacker who knows valid emails can lock out legitimate users (account lockout DoS). Consider adding per-IP rate limiting as a complementary layer (the existing rateLimiter middleware could be applied to /auth/*).
3. Unrelated scope changes. This PR also removes CSRF middleware, the webhookFailures table, and the admin router, and narrows CORS allowed methods/headers. These are significant security-relevant changes bundled into a brute-force PR — they should be in separate PRs.
4. No migration file. Three new columns (password_hash, failed_login_attempts, locked_until) are added to the schema but no SQL migration is included.
5. Missing counter reset on lockout expiry. When a locked account lockout expires and the user fails again, the counter continues from where it was (e.g., 5->6), immediately re-locking. Consider resetting the counter when the lockout window expires.

Verdict

The core lockout logic is sound and well-tested. The main risks are the bundled unrelated removals (CSRF, webhookFailures, admin routes) and the missing migration file. Recommend splitting out unrelated changes and adding a migration before merge.

---

Reviewed by Claude Code agent

## PR #541 — Brute Force Protection Review ### Summary This PR adds per-email brute force protection to `POST /auth/login` with account lockout after 5 consecutive failed attempts. The implementation tracks `failedLoginAttempts` and `lockedUntil` columns on the `users` table. ### Verification Results | Criteria | Status | Notes | |----------|--------|-------| | Rate limiting on POST /auth/login | Pass | Account-level lockout after 5 failures (LOCKOUT_THRESHOLD=5) | | Rate limiting on POST /api/register | Not implemented | No register endpoint exists in this PR | | Failed attempts tracked per email | Pass | `failedLoginAttempts` column on users table, incremented per wrong password | | 429 with Retry-After on lockout | Pass | Returns 429 + `Retry-After` header (seconds until unlock) | | Legitimate login after single failure | Pass | Test confirms login succeeds after fewer than 5 failures | | Counter reset on success | Pass | `failedLoginAttempts` resets to 0 on valid login | | Lockout expiry | Pass | Expired `lockedUntil` allows login again (15-min window) | ### Test Results - **9/9 lockout tests pass** (`tests/unit/login-lockout.test.ts`) - **202/203 total unit tests pass** (1 pre-existing failure in `document-generator.test.ts`, unrelated) ### Findings **Positive:** 1. Clean separation via `createAuthRouter(verifier)` — password verification is injectable, making tests straightforward. 2. Comprehensive test coverage: missing creds (400), unknown user (401), valid login (200), incremental failures, threshold lockout (429), already-locked rejection, counter reset, expiry unlock, and beyond-threshold failures. 3. `Retry-After` header correctly calculated from `lockedUntil` timestamp. **Concerns:** 1. **No register route protection.** The task mentions `POST /api/register` but this PR only covers login. If registration exists elsewhere, it has no brute force protection. 2. **Tracking is per-email only, not per-IP.** An attacker who knows valid emails can lock out legitimate users (account lockout DoS). Consider adding per-IP rate limiting as a complementary layer (the existing `rateLimiter` middleware could be applied to `/auth/*`). 3. **Unrelated scope changes.** This PR also removes CSRF middleware, the `webhookFailures` table, and the admin router, and narrows CORS allowed methods/headers. These are significant security-relevant changes bundled into a brute-force PR — they should be in separate PRs. 4. **No migration file.** Three new columns (`password_hash`, `failed_login_attempts`, `locked_until`) are added to the schema but no SQL migration is included. 5. **Missing counter reset on lockout expiry.** When a locked account lockout expires and the user fails again, the counter continues from where it was (e.g., 5->6), immediately re-locking. Consider resetting the counter when the lockout window expires. ### Verdict The core lockout logic is **sound and well-tested**. The main risks are the bundled unrelated removals (CSRF, webhookFailures, admin routes) and the missing migration file. Recommend splitting out unrelated changes and adding a migration before merge. --- *Reviewed by Claude Code agent*

pook referenced this pull request 2026-04-11 02:33:55 -04:00

[Agent] Issue #575: checkout pr 541 review the brute force p #578

Some checks failed

Hide all checks

CI Quality Gate / Lint / Typecheck / Test / Build (pull_request) Has been cancelled

Details

This pull request has changes conflicting with the target branch.

• .forgejo/workflows/ci.yml
• bun.lock
• package.json
• packages/api/src/db/schema.ts
• packages/api/src/index.ts
• packages/api/src/middleware/csrf.ts
• packages/api/src/middleware/rate-limit.ts
• packages/api/src/middleware/security-headers.ts
• packages/api/src/routes/admin.ts
• packages/api/src/routes/auth.ts
• packages/api/src/routes/generate-tos.ts
• packages/api/src/routes/generate.ts
• packages/api/src/routes/health.ts
• packages/api/src/routes/questionnaire.ts
• packages/api/src/services/document-generator.ts
• packages/api/src/services/llm.ts
• packages/api/src/templates/index.ts
• packages/api/tsconfig.json
• packages/shared/src/types.ts
• packages/web/src/app/questionnaire/page.tsx
• packages/web/src/components/documents/DocumentList.tsx
• packages/web/src/components/questionnaire/ReviewStep.tsx

View command line instructions

Checkout

From your project repository, check out a new branch and test the changes.

git fetch -u origin agent-task/537:agent-task/537

git switch agent-task/537

Sign in to join this conversation.

Reviewers

No reviewers

Labels

Clear labels   

agent-task

Task for autonomous agent execution

  

agent-task

Paperclip autonomous agent task

No labels

agent-task

agent-task

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

pook/compliancebot!541

No description provided.