Security: Add Brute Force Protection with Account Lockout and Progressive Delays

[Smartdevs17]

Context

Authentication endpoints are targets for brute force attacks. Current rate limiting is not specific to login attempts.

Current Limitation/Problem

Login attempts have no per-account rate limiting. An attacker can try unlimited passwords against a single account, and there is no account lockout mechanism.

Expected Outcome

Progressive delay and account lockout for failed login attempts: delays increase exponentially, accounts lock after N attempts, with unlock via email verification or admin action.

Acceptance Criteria

• Track failed login attempts per account + IP
• Progressive delays: 1s, 5s, 30s, 2min, 10min, 1h after consecutive failures
• Account lockout after 10 consecutive failed attempts (within 24h window)
• Locked accounts cannot log in (all auth methods)
• Unlock: email verification link + time-based unlock (auto unlock after 24h)
• Admin unlock capability
• Notification email on account lockout
• Rate limit: max 3 login attempts/second per IP across all accounts
• Audit log for all login attempts (success/failure, IP, user agent)
• CAPTCHA after 3 failed attempts from same IP

Technical Scope

• backend/src/middleware/brute-force.ts - brute force protection
• backend/src/services/auth/lockout-manager.ts - lockout logic
• Redis: failed attempt counters with TTL, lockout state
• Prisma: AccountLockout, LoginAttempt models
• Frontend: lockout notification UI, unlock flow
• Edge cases: distributed brute force (many IPs, one account), legitimate lockouts, concurrent attempts

[web3nova]

@web3nova has applied to work on this issue as part of the Stellar Wave Program's 6th wave.

Hi maintainer I have thoroughly read the description to this issue and I can resolve this according to the description required ensuring it meet all the acceptance criteria kindly assign.

ℹ️ Repo Maintainers: To accept this application, review their application or assign @web3nova to this issue.

[BigDella]

@BigDella has applied to work on this issue as part of the Stellar Wave Program's 6th wave.

i will love to work on this issue

ℹ️ Repo Maintainers: To accept this application, review their application or assign @BigDella to this issue.

[drips-wave]

Congratulations, @BigDella! 🎉 Your application was accepted by the repo's maintainers, and the issue is due on June 30, 2026.

🧑‍💻 @BigDella: Please resolve the issue such that the repo's maintainers have enough time to review your contribution before the due date. You'll earn Points for completing the issue on-time, which will make you eligible for a share of the Stellar Wave Program's reward pool.

Warning

When opening a PR, please link it to this issue to ensure it gets tracked accurately. Points are awarded when this issue is marked as completed by the maintainer.

🤠 Repo maintainers: Please keep an eye on the contributor's progress and review their work before the due date. You can manage this issue, including adjusting its complexity and points, here.

🌊 Happy Wave 🌊

[drips-wave]

This issue has been completed by @BigDella as part of the Stellar Wave Program's 6th Wave 🥳

😎 @BigDella: You earned 200 Points for completing this issue! After the current Wave ends, you'll be eligible for a percentage of the Wave's reward pool based on the percentage of total points you've earned. Learn more here. You can also Leave a review to share your experience working on this issue.

🧑‍💻 Repo maintainers: How'd the contributor do? Leave a review to share your experience working with them.