feat(auth): apply LoginGuard to tenant and ops login endpoints

Wire LoginGuard into tenant-api and ops-api login flows: acquire a
permit before checking credentials, record a failure on every invalid
attempt to drive lockouts, and clear counters on success. Tenant-api
now also forwards the request IP into the service so per-IP and
IP+identifier limits actually fire under real traffic.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
2026-04-30 01:07:16 +08:00
parent a62c0e4b5d
commit 19037a9e4b
5 changed files with 155 additions and 7 deletions
+3
View File
@@ -40,6 +40,7 @@ type App struct {
Engine *gin.Engine
JWT *auth.Manager
Sessions *auth.SessionStore
LoginGuard *auth.LoginGuard
LLM llm.Client
RetrievalProvider retrieval.Provider
VectorStore retrieval.VectorStore
@@ -104,6 +105,7 @@ func New(configPath string) (*App, error) {
jwtMgr := auth.NewManager(cfg.JWT.Secret, cfg.JWT.AccessTTL, cfg.JWT.RefreshTTL)
sessions := auth.NewSessionStore(rdb)
loginGuard := auth.NewLoginGuard(rdb, auth.DefaultLoginGuardConfig("tenant"))
llmClient := llm.New(cfg.LLM)
retrievalProvider := retrieval.NewProvider(cfg.Retrieval, logger)
vectorStore := retrieval.NewQdrantStore(cfg.Qdrant, logger)
@@ -171,6 +173,7 @@ func New(configPath string) (*App, error) {
Engine: engine,
JWT: jwtMgr,
Sessions: sessions,
LoginGuard: loginGuard,
LLM: llmClient,
RetrievalProvider: retrievalProvider,
VectorStore: vectorStore,