nanodrop

brendan/nanodrop

Fork 0

Commit Graph

Author	SHA1	Message	Date
Brendan Chen	ad36b23061	feat(auth): add shared login handler with constant-time clamp All checks were successful Deploy to Homelab / deploy (push) Successful in 18s Details Single attemptLogin() orchestrates lockout check, bcrypt verify (against real or dummy hash), success/failure logging, and a configurable minimum response-time clamp. Both login routes will share this — no duplication. Adds three logger events for the operator's escalation pipeline: AUTH_LOCKOUT_TRIGGERED, AUTH_LOCKED_ATTEMPT, and AUTH_RATE_LIMITED. fail2ban filters can pick these up to escalate persistent attackers from in-app lockout to IP ban. Constant-time defense: unknown users still pay bcrypt cost (via dummy hash) and the clamp ensures locked-vs-unknown-vs-wrong-password aren't distinguishable by response time. Username is canonicalized (lowercase + trim) before lookup so attackers can't bypass lockout via case variation.	2026-05-03 03:34:15 -07:00
Brendan Chen	157d1e8230	Add auth service, storage service, types, and logging middleware - Auth service: hashPassword/verifyPassword via bcrypt - Storage service: saveFile, getFilePath, deleteStoredFile with ENOENT handling - Types: JwtPayload interface - Logging middleware: createLogger writing AUTH_FAILURE, AUTH_SUCCESS, FILE_NOT_FOUND - 27 tests passing Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-03-03 15:49:22 -08:00

Author

SHA1

Message

Date

Brendan Chen

ad36b23061

feat(auth): add shared login handler with constant-time clamp

Deploy to Homelab / deploy (push) Successful in 18s

Details

Single attemptLogin() orchestrates lockout check, bcrypt verify (against
real or dummy hash), success/failure logging, and a configurable minimum
response-time clamp. Both login routes will share this — no duplication.

Adds three logger events for the operator's escalation pipeline:
AUTH_LOCKOUT_TRIGGERED, AUTH_LOCKED_ATTEMPT, and AUTH_RATE_LIMITED.
fail2ban filters can pick these up to escalate persistent attackers from
in-app lockout to IP ban.

Constant-time defense: unknown users still pay bcrypt cost (via dummy hash)
and the clamp ensures locked-vs-unknown-vs-wrong-password aren't
distinguishable by response time. Username is canonicalized (lowercase + trim)
before lookup so attackers can't bypass lockout via case variation.

2026-05-03 03:34:15 -07:00

Brendan Chen

157d1e8230

Add auth service, storage service, types, and logging middleware

- Auth service: hashPassword/verifyPassword via bcrypt
- Storage service: saveFile, getFilePath, deleteStoredFile with ENOENT handling
- Types: JwtPayload interface
- Logging middleware: createLogger writing AUTH_FAILURE, AUTH_SUCCESS, FILE_NOT_FOUND
- 27 tests passing

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

2026-03-03 15:49:22 -08:00

2 Commits