GrottoCenter / grottocenter-api / 26345671836 / 1

87%

develop: 87%

Pull #1609

github

feat(auth): harden admin account security with TOTP MFA and brute-force protection

- Reduce admin token TTL to 10 days (non-admin remains 90 days)
- Add mandatory TOTP-based MFA with enrollment, verification, and reset endpoints
- Apply stricter rate limiting for admin login (5 req / 15 min / IP)
- Ban admin accounts after 5 consecutive failed logins or TOTP attempts
- Send email notifications on suspicious login activity and account ban
- Revoke all admin tokens on password change
- Update Swagger documentation with new MFA endpoints and login statuses

3386 of 4037 branches covered (83.87%)

Branch coverage included in aggregate %.

6798 of 7645 relevant lines covered (88.92%)

57.06 hits per line