feat(auth): apply LoginGuard to tenant and ops login endpoints

Wire LoginGuard into tenant-api and ops-api login flows: acquire a
permit before checking credentials, record a failure on every invalid
attempt to drive lockouts, and clear counters on success. Tenant-api
now also forwards the request IP into the service so per-IP and
IP+identifier limits actually fire under real traffic.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
2026-04-30 01:07:16 +08:00
parent a62c0e4b5d
commit 19037a9e4b
5 changed files with 155 additions and 7 deletions
+3 -1
View File
@@ -17,6 +17,7 @@ import (
opsconfig "github.com/geo-platform/tenant-api/internal/ops/config"
"github.com/geo-platform/tenant-api/internal/ops/repository"
"github.com/geo-platform/tenant-api/internal/ops/transport"
sharedauth "github.com/geo-platform/tenant-api/internal/shared/auth"
"github.com/geo-platform/tenant-api/internal/shared/cache"
"github.com/geo-platform/tenant-api/internal/shared/observability"
"github.com/geo-platform/tenant-api/internal/shared/repository/postgres"
@@ -75,7 +76,8 @@ func main() {
auditSvc := app.NewAuditService(auditsRepo, logger).WithIPRegionResolver(ipRegionResolver)
issuer := app.NewTokenIssuer(cfg.JWT.Secret, cfg.JWT.AccessTTL)
authSvc := app.NewAuthService(accountsRepo, auditSvc, issuer)
loginGuard := sharedauth.NewLoginGuard(rdb, sharedauth.DefaultLoginGuardConfig("ops"))
authSvc := app.NewAuthService(accountsRepo, auditSvc, issuer, loginGuard)
accountSvc := app.NewAccountService(accountsRepo, auditSvc)
adminUserSvc := app.NewAdminUserService(adminUsersRepo, auditSvc, cfg.AdminUsers.DefaultPlanCode)
kolSubscriptionSvc := app.NewKolSubscriptionService(kolSubscriptionsRepo, auditSvc).WithCache(appCache)