feat(auth): apply LoginGuard to tenant and ops login endpoints

Wire LoginGuard into tenant-api and ops-api login flows: acquire a
permit before checking credentials, record a failure on every invalid
attempt to drive lockouts, and clear counters on success. Tenant-api
now also forwards the request IP into the service so per-IP and
IP+identifier limits actually fire under real traffic.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
2026-04-30 01:07:16 +08:00
parent a62c0e4b5d
commit 19037a9e4b
5 changed files with 155 additions and 7 deletions
@@ -24,6 +24,7 @@ func NewAuthHandler(a *bootstrap.App) *AuthHandler {
a.KolProfiles,
a.JWT,
a.Sessions,
a.LoginGuard,
),
}
}
@@ -34,6 +35,7 @@ func (h *AuthHandler) Login(c *gin.Context) {
response.Error(c, response.ErrBadRequest(40001, "invalid_params", err.Error()))
return
}
req.IP = c.ClientIP()
resp, err := h.svc.Login(c.Request.Context(), req)
if err != nil {
response.Error(c, err)