feat(auth): wire lockout, rate-limit, and constant-time login into both routes

Both POST /login (HTML form) and POST /api/v1/auth/login now flow through
the shared attemptLogin() handler. Locked accounts respond with 401 +
Retry-After (generic body "Invalid credentials" / "Invalid username or
password") so attackers can't use lockout state as a username-existence
oracle.

@fastify/rate-limit registered with global=false; only the two login
routes opt in via per-route rateLimit config. File uploads and downloads
keep full throughput. Custom errorResponseBuilder logs AUTH_RATE_LIMITED
fire-and-forget so fail2ban can pick it up.

createTestApp now accepts Partial<Config> overrides so integration tests
can dial thresholds down without env-var mutation.

src/routes/api/v1/auth.ts

@@ -2,14 +2,15 @@ import type { FastifyPluginAsync } from 'fastify';
 import type Database from 'better-sqlite3';
 import type { Config } from '../../../config.ts';
 import type { Logger } from '../../../middleware/logging.ts';
-import { getUserByUsername } from '../../../db/users.ts';
-import { verifyPassword } from '../../../services/auth.ts';
+import type { LockoutService } from '../../../services/lockout.ts';
+import { attemptLogin } from '../../../services/login-handler.ts';
 import { requireAuth, tokenCookieOptions } from '../../../middleware/auth.ts';
 
 interface Deps {
   db: Database.Database;
   config: Config;
   logger: Logger;
+  lockout: LockoutService;
 }
 
 interface LoginBody {
@@ -18,30 +19,50 @@ interface LoginBody {
 }
 
 export const authApiRoutes: FastifyPluginAsync<{ deps: Deps }> = async (app, { deps }) => {
-  const { db, config, logger } = deps;
+  const { config } = deps;
 
-  app.post<{ Body: LoginBody }>('/login', async (request, reply) => {
-    const { username, password } = request.body ?? {};
-    const ip = request.ip;
-    const userAgent = request.headers['user-agent'] ?? '';
+  app.post<{ Body: LoginBody }>(
+    '/login',
+    {
+      config: {
+        rateLimit: {
+          max: config.loginRateLimitMax,
+          timeWindow: config.loginRateLimitWindowSeconds * 1000,
+        },
+      },
+    },
+    async (request, reply) => {
+      const { username, password } = request.body ?? {};
 
-    if (!username || !password) {
-      return reply.status(400).send({ error: 'username and password are required' });
-    }
+      const result = await attemptLogin(deps, {
+        username: username ?? '',
+        password: password ?? '',
+        ip: request.ip,
+        userAgent: request.headers['user-agent'] ?? '',
+      });
 
-    const user = getUserByUsername(db, username);
-    const valid = user ? await verifyPassword(password, user.password_hash) : false;
+      if (result.kind === 'bad_request') {
+        return reply.status(400).send({ error: 'username and password are required' });
+      }
 
-    if (!user || !valid) {
-      await logger.authFailure({ ip, userAgent, username });
-      return reply.status(401).send({ error: 'Invalid credentials' });
-    }
+      if (result.kind === 'locked') {
+        return reply
+          .status(401)
+          .header('Retry-After', String(result.retryAfterSeconds))
+          .send({ error: 'Invalid credentials' });
+      }
 
-    await logger.authSuccess({ ip, userAgent, username });
+      if (result.kind === 'bad_credentials') {
+        return reply.status(401).send({ error: 'Invalid credentials' });
+      }
 
-    const token = app.jwt.sign({ sub: user.id, username: user.username }, { expiresIn: config.jwtExpiry });
-    reply.setCookie('token', token, tokenCookieOptions(config.cookieSecure)).send({ ok: true });
-  });
+      const token = app.jwt.sign(
+        { sub: result.user.id, username: result.user.username },
+        { expiresIn: config.jwtExpiry },
+      );
+      reply.setCookie('token', token, tokenCookieOptions(config.cookieSecure)).send({ ok: true });
+    },
+  );
 
   app.post('/logout', { preHandler: requireAuth }, async (_request, reply) => {
     reply.clearCookie('token', { path: '/' }).send({ ok: true });