feat(auth): apply LoginGuard to tenant and ops login endpoints
Wire LoginGuard into tenant-api and ops-api login flows: acquire a permit before checking credentials, record a failure on every invalid attempt to drive lockouts, and clear counters on success. Tenant-api now also forwards the request IP into the service so per-IP and IP+identifier limits actually fire under real traffic. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
@@ -40,6 +40,7 @@ type App struct {
|
||||
Engine *gin.Engine
|
||||
JWT *auth.Manager
|
||||
Sessions *auth.SessionStore
|
||||
LoginGuard *auth.LoginGuard
|
||||
LLM llm.Client
|
||||
RetrievalProvider retrieval.Provider
|
||||
VectorStore retrieval.VectorStore
|
||||
@@ -104,6 +105,7 @@ func New(configPath string) (*App, error) {
|
||||
|
||||
jwtMgr := auth.NewManager(cfg.JWT.Secret, cfg.JWT.AccessTTL, cfg.JWT.RefreshTTL)
|
||||
sessions := auth.NewSessionStore(rdb)
|
||||
loginGuard := auth.NewLoginGuard(rdb, auth.DefaultLoginGuardConfig("tenant"))
|
||||
llmClient := llm.New(cfg.LLM)
|
||||
retrievalProvider := retrieval.NewProvider(cfg.Retrieval, logger)
|
||||
vectorStore := retrieval.NewQdrantStore(cfg.Qdrant, logger)
|
||||
@@ -171,6 +173,7 @@ func New(configPath string) (*App, error) {
|
||||
Engine: engine,
|
||||
JWT: jwtMgr,
|
||||
Sessions: sessions,
|
||||
LoginGuard: loginGuard,
|
||||
LLM: llmClient,
|
||||
RetrievalProvider: retrievalProvider,
|
||||
VectorStore: vectorStore,
|
||||
|
||||
Reference in New Issue
Block a user